We help IT Professionals succeed at work.

How do I enable DHCP  Relay to a Windows DHCP Server, through an IPSEC tunnel between two Cisco ASA devices?

5,922 Views
Last Modified: 2012-05-05
I have Windows 2003 Server running DHCP to a flat 192.0.x.0 network.  The gateway of this net is a Cisco ASA 5510.  

A Remote branch connects with an IPSEC Tunnel, and IP commnunication is confirmed between hosts on the inside of each ASA.

I have enabled DHCP Relay on remote site.

dhcprelay server 192.168.2.1 outside
dhcprelay enable inside
dhcprelay setroute inside

I create a scope for this on the DHCP Server.

On the HQ ASA, I have this config


dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

but it seems as if this is not working, am I doing something wrong?

Stavros
Comment
Watch Question

Commented:
hi check your IPsec VPN setting and you might have to mention there the DHCP server so that when a tunnel is established, it will look for the dhcp server. I user fortinet and i have configured in a similar fashion.

Author

Commented:
Do you know what command that would be exactly?

Commented:
I have done similar things with the:
ip helper-address X.X.X.X (IP of the remote DHCP server)

I've not done this through a vpn tunnel, but if the traffic is permitted i don't know why it wouldnt work.

that command would go on the interface (FastEthernet0/1) or the VLAN interafce

Commented:
As per Cisco prerequisites, this will not work :

Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router
In your case, you are sending your request through another relay agent, which will not work.
more info can be found here :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml
I would also try to use the ip helper-address setup if possible (you will need a router or L3 switch for that)
Kurt

Author

Commented:
That does not really make sense.

Surely with Cisco ASA Site-to-Site VPN Tunnel, I can have centralised DHCP Infrastructure on my Windows Server.

I have read the above article several times.

The remote site will have dhcp relay to HQ DHCP Server.  DHCPDISCOVER will be sent as broadcast at remote site, Cisco ASA DHCP Relay will collect all broadcast, and forward this as Unicast to the DHCP Server that is specified.

Commented:
have you, or have you not tried the ip helper-address command?

here is a link to a kind of lame article.  The only reason I posted it is because it  says forwarding DHCP broadcasts is done with the ip helper command.

http://routergod.com/trinity/

Author

Commented:
Hi there

If I was using an IOS based router, that would definately solved my problem.

However, this is a Cisco ASA to Cisco ASA solution.

Stavros

Commented:
ah, my apologies.

From what I read from Cisco's own config guides, is that the relay commands are used on the interface where the clients are trying to get DHCP addresses.

So i am not sure why you would need any DHCP relay on your HQ site.

Your setup on the remote end appears to be correct, if 192.168.2.1 is your DHCP server.
if not you would want to make that change.

If you have a VPN tunnel up and working I would think you should be able to hit the DHCP server, if you have access-lists permitting IP traffic from both subnets.  You may need to add access-lists for port 68.

I'm sure you have a reason for not using the dhcpd on the ASA; management possibly.

Author

Commented:
Hi there

Yes, I do not want to use the dhcpd on the ASA, this is due to centralised management.
Communication between the two networks work fine as expected, except for the the dhcprelay.

Commented:
Can you debug what is happening ?

debug dhcprelay event
debug dhcprelay packet

Can you send the the results to share with us ?

Commented:
Why do you have this config :
dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

on the HQ FW?

And what is the IP address of the DHCP server? If it is 192.0.2.1, then you should not configure the DHCP relay on the HQ ASA, and modify the remote side config so that the DHCPrelay server is 192.0.2.1 and not 192.168.2.1

Author

Commented:
Hi there

I have realised that this component,

dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

is not needed on HQ ASA.

I have removed this.


on Remote Site ASA, 192.168.2.1 was also an error,  it should be

dhcprelay server 192.0.2.1 outside
dhcprelay enable inside
dhcprelay setroute inside

Sorry about the confusion....

It is still not working though.  I am starting to resent using the Cisco ASA 5505 at remote site, because I know that with C871-K9, this would have been a breeze to configure....

Author

Commented:
Any thoughts?

Commented:
do you have access lists for traffic between the two networks?  post the configs

Commented:
i'ved one the same with still no luck.
have you got this working?
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.