Solved

Need Help with dhcprelay agent on new PIX

Posted on 2004-04-08
16
358 Views
Last Modified: 2013-11-16
I just purchased a PIX 515 and need to have it set up to pass DHCP request to a server on another network.
The setup is as follows
                                    Outside  
                                        |
                                 Cisco 2600
                                 |             |
                      10.2.0.20 (DHCP) | 171.31.1.2
                                              PIX
                                                |
                                          (network to receive 192.168.x.x from DHCP)

I have setup the dhcprelay with the server being 10.2.0.20 on the outside and enabled it on the inside. I can see
the DHCP requests on the dhcprelay statistics but no replies and nothing is going out on the outside interface. I also
removed the 2600 from the equation by connecting the outside interface of the PIX to the 10.2.x.x. I am sure I am missing something simple here but being that this is my first PIX, I can't see it.  What am I missing? Can anyone help with this.
0
Comment
Question by:kmcclinton
  • 7
  • 6
  • 3
16 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10783157
Can you post result of show dhcprelay
0
 

Author Comment

by:kmcclinton
ID: 10783211
The sh dhcprelay statistics shows the discover being incremented but everything else remains 0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10783670
Not the statistics, but simply "show dhcprelay"

Do you have something like:
dhcprelay server 10.2.0.20 outside
dhcprelay enable inside

Do you have the scope setup properly on the DHCP server itself?
Have you checked any log entries on the server to see if it is actually receiving the request?

0
 

Author Comment

by:kmcclinton
ID: 10783779
Sorry for not answering your question correctly. Yes, that is exactly what the sh dhcprelay gives..plus a timeout of 60
and yes the scope is set up correctly on the DHCP server. I tested this by making the outside interface ip auto_config
and had the outside interface moved to that network to get an IP from this server. I placed a sniffer on the network and saw the request from the outside interface but I don't see anything from that inteerface when the inside is requesting dhcp discover. I also do not see and I would expect to see .. the DHCP Request to increment when i do a sh dhcprelay statistic..Am I wrong in this?
0
 

Expert Comment

by:George Coles
ID: 10785978
Can both networks "see" each other?  If you give the device on the 192.168 network a hard address, can it ping the DHCP server?  Can the DHCP server ping the hard address on the 192.168 network?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10786260
What subnet addresses are you trying to give the clients?
0
 

Author Comment

by:kmcclinton
ID: 10786282
I have not hard coded the adresses yet but will try now.  I am trying to give the clients 192.168.x.x addresses..
0
 

Author Comment

by:kmcclinton
ID: 10786601
To follow up with osccoles.. no I can not ping the other network with a static IP..
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Assisted Solution

by:George Coles
George Coles earned 250 total points
ID: 10786615
More than likely, your DHCP machine doesn't know how to return the info.  Check the router, it probably needs a route statement in it pointing traffic for the 192.168 network to the pix
0
 

Author Comment

by:kmcclinton
ID: 10786647
? I don't understand.  If I have dhcprelay server set for 10.2.0.20 (say) and enable on the inside, would not the forwarded packets to 10.2.0.20 have source addresses of moy outside router?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 10786692
>I can not ping the other network with a static IP
Have you explicitly permitted icmp replies back in through the PIX?
#Try adding an access-list
access-list outside_in permit icmp any any echo-reply

#also try adding an access-list to permit the DHCP response to come back in:

access-list outside_in permit udp host 10.2.0.20 eq 68 any

#re-apply the access-list to the interface
access-group outside_in in interface outside

dhcprelay command lets the UDP 67 brodcasts out, but I think you may have to explicitly permit the UDP 68 reply back in.

0
 

Expert Comment

by:George Coles
ID: 10786699
Yes, but the packet coming from the server would be targeted for the 192.168 interface of the pix.  The router, without a static route pointing traffic for the 192.168 to the pix, would not know how to forward the packet, and drop it.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 10786720
D'OH!
OK, your PIX has a public IP address on outside.
Server is connected to router's 2nd Ethernet interface
The ROUTER is blocking the DHCP request
Try adding on the router interface, assuming Eth 0/0 connects to PIX:

Interface Eth 0/0
 ip helper-address 10.2.0.20
!

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10786737
Ditto osccoles' idea.
The router must also have a route for the 192.168.x.x address pointing to the PIX:

ip route 192.168.x.0 255.255.255.0 171.31.1.2

I think you would be so much happier ( and have fewer holes in your security perimeter) if you simply use the DHCPD server on the PIX itself...

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10786747
Also, can we assume that you actually assigned a 192.168x.x IP address to your inside interface of the PIX?
0
 

Author Comment

by:kmcclinton
ID: 10787584
Gentlemen,
Thank you for responding with great things to try. Unfortunately I am at home now and can not try these solutions.  I will try again in the a.m. I think lrmoore hit it on the head with " think you would be so much happier ( and have fewer holes in your security perimeter) if you simply use the DHCPD server on the PIX itself..." I totally agree especially if I have to keep a port open. Having the remote DHCP is not my idea but the idea of an IT person with a sister company who has PC's on my network (they are the 10.2.x.x network). Quite frankly I'd rather sever that "relationship" anyway.  I will look at this in the morning and reply then. Thanks to you both.  :-) and yes I do have the 192.168.x.x assign to the inside interface. Also, the return packet destination is something to look at because we had an issue like this for NW/IP on their side. And I already have a helper statement on the 2600 but this is not the issue because i removed the pix from that interface and connected to the switch on the 10.2.x.x network.

0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unifi AP 4 54
PCI Compliance Free scan 2 78
DHCP Server 14 66
Need Help setting up a Virtual Lan on existing network for Test Domain 10 59
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now