We have a easy vpn connection between a asa5505 (Client) and a pix515 (server) which works fine except the dhcp-relay. The problem is that the dhcp request from the client behind the asa is blocked on the pix because the asa sends the request with the outside interface ip address. The asa get's the outside ip address dynamically from the ISP over PPPoE. If the dhcp request would be send with the inside interface ip address it would work. I didn't find a way to solve the problem. Is it even possible to solve the problem the way I want it?
This is the correct behavior of the ASA for DHCP relay. the ASA will use the egress interface IP address weather you configure NATing or not, this by design on the ASA and PIX code, unfortunately there is no method of forcing the ASA to change the IP address used to relay the DHCP request.
The only way to work around this issue is to include the IP address of the outside interface through the tunnel when communicating with the DHCP server.
I hope you can locate a static IP address for the ASA from your ISP to be able to get this working.
it's really annoying. You want to use tftp -> asa uses outside IP. You want to use CiscoWorks RMA for sync archive -> for some reasons I don't know the outside IP of the asa is used and I didn't definitely configure the outside IP in Works.
For an intelligent use of the asa you need a static IP address on the outside interface. But that's not common for ADSL connections in Germany. You have to pay some euro's more for it per month.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...