Avatar of stuvstuv
stuvstuvFlag for Cyprus asked on

How do I enable DHCP Relay to a Windows DHCP Server, through an IPSEC tunnel between two Cisco ASA devices?

I have Windows 2003 Server running DHCP to a flat 192.0.x.0 network.  The gateway of this net is a Cisco ASA 5510.  

A Remote branch connects with an IPSEC Tunnel, and IP commnunication is confirmed between hosts on the inside of each ASA.

I have enabled DHCP Relay on remote site.

dhcprelay server 192.168.2.1 outside
dhcprelay enable inside
dhcprelay setroute inside

I create a scope for this on the DHCP Server.

On the HQ ASA, I have this config


dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

but it seems as if this is not working, am I doing something wrong?

Stavros
Hardware FirewallsNetworking Hardware-OtherServer Hardware

Avatar of undefined
Last Comment
stuvstuv

8/22/2022 - Mon
dineesh

hi check your IPsec VPN setting and you might have to mention there the DHCP server so that when a tunnel is established, it will look for the dhcp server. I user fortinet and i have configured in a similar fashion.
ASKER
stuvstuv

Do you know what command that would be exactly?
sharedit

I have done similar things with the:
ip helper-address X.X.X.X (IP of the remote DHCP server)

I've not done this through a vpn tunnel, but if the traffic is permitted i don't know why it wouldnt work.

that command would go on the interface (FastEthernet0/1) or the VLAN interafce
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ck459

As per Cisco prerequisites, this will not work :

Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router
In your case, you are sending your request through another relay agent, which will not work.
more info can be found here :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml
I would also try to use the ip helper-address setup if possible (you will need a router or L3 switch for that)
Kurt

ASKER
stuvstuv

That does not really make sense.

Surely with Cisco ASA Site-to-Site VPN Tunnel, I can have centralised DHCP Infrastructure on my Windows Server.

I have read the above article several times.

The remote site will have dhcp relay to HQ DHCP Server.  DHCPDISCOVER will be sent as broadcast at remote site, Cisco ASA DHCP Relay will collect all broadcast, and forward this as Unicast to the DHCP Server that is specified.

sharedit

have you, or have you not tried the ip helper-address command?

here is a link to a kind of lame article.  The only reason I posted it is because it  says forwarding DHCP broadcasts is done with the ip helper command.

http://routergod.com/trinity/
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
stuvstuv

Hi there

If I was using an IOS based router, that would definately solved my problem.

However, this is a Cisco ASA to Cisco ASA solution.

Stavros
sharedit

ah, my apologies.

From what I read from Cisco's own config guides, is that the relay commands are used on the interface where the clients are trying to get DHCP addresses.

So i am not sure why you would need any DHCP relay on your HQ site.

Your setup on the remote end appears to be correct, if 192.168.2.1 is your DHCP server.
if not you would want to make that change.

If you have a VPN tunnel up and working I would think you should be able to hit the DHCP server, if you have access-lists permitting IP traffic from both subnets.  You may need to add access-lists for port 68.

I'm sure you have a reason for not using the dhcpd on the ASA; management possibly.
ASKER
stuvstuv

Hi there

Yes, I do not want to use the dhcpd on the ASA, this is due to centralised management.
Communication between the two networks work fine as expected, except for the the dhcprelay.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ck459

Can you debug what is happening ?

debug dhcprelay event
debug dhcprelay packet

Can you send the the results to share with us ?
ck459

Why do you have this config :
dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

on the HQ FW?

And what is the IP address of the DHCP server? If it is 192.0.2.1, then you should not configure the DHCP relay on the HQ ASA, and modify the remote side config so that the DHCPrelay server is 192.0.2.1 and not 192.168.2.1
ASKER
stuvstuv

Hi there

I have realised that this component,

dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

is not needed on HQ ASA.

I have removed this.


on Remote Site ASA, 192.168.2.1 was also an error,  it should be

dhcprelay server 192.0.2.1 outside
dhcprelay enable inside
dhcprelay setroute inside

Sorry about the confusion....

It is still not working though.  I am starting to resent using the Cisco ASA 5505 at remote site, because I know that with C871-K9, this would have been a breeze to configure....
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
stuvstuv

Any thoughts?
sharedit

do you have access lists for traffic between the two networks?  post the configs
ricks_v

i'ved one the same with still no luck.
have you got this working?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
stuvstuv

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question