How do I enable DHCP Relay to a Windows DHCP Server, through an IPSEC tunnel between two Cisco ASA devices?

hi check your IPsec VPN setting and you might have to mention there the DHCP server so that when a tunnel is established, it will look for the dhcp server. I user fortinet and i have configured in a similar fashion.

Do you know what command that would be exactly?

I have done similar things with the:
ip helper-address X.X.X.X (IP of the remote DHCP server)

I've not done this through a vpn tunnel, but if the traffic is permitted i don't know why it wouldnt work.

that command would go on the interface (FastEthernet0/1) or the VLAN interafce

As per Cisco prerequisites, this will not work :

Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router
In your case, you are sending your request through another relay agent, which will not work.
more info can be found here :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml
I would also try to use the ip helper-address setup if possible (you will need a router or L3 switch for that)
Kurt

That does not really make sense.

Surely with Cisco ASA Site-to-Site VPN Tunnel, I can have centralised DHCP Infrastructure on my Windows Server.

I have read the above article several times.

The remote site will have dhcp relay to HQ DHCP Server.  DHCPDISCOVER will be sent as broadcast at remote site, Cisco ASA DHCP Relay will collect all broadcast, and forward this as Unicast to the DHCP Server that is specified.

have you, or have you not tried the ip helper-address command?

here is a link to a kind of lame article.  The only reason I posted it is because it  says forwarding DHCP broadcasts is done with the ip helper command.

http://routergod.com/trinity/

Hi there

If I was using an IOS based router, that would definately solved my problem.

However, this is a Cisco ASA to Cisco ASA solution.

Stavros

ah, my apologies.

From what I read from Cisco's own config guides, is that the relay commands are used on the interface where the clients are trying to get DHCP addresses.

So i am not sure why you would need any DHCP relay on your HQ site.

Your setup on the remote end appears to be correct, if 192.168.2.1 is your DHCP server.
if not you would want to make that change.

If you have a VPN tunnel up and working I would think you should be able to hit the DHCP server, if you have access-lists permitting IP traffic from both subnets.  You may need to add access-lists for port 68.

I'm sure you have a reason for not using the dhcpd on the ASA; management possibly.

Hi there

Yes, I do not want to use the dhcpd on the ASA, this is due to centralised management.
Communication between the two networks work fine as expected, except for the the dhcprelay.

Can you debug what is happening ?

debug dhcprelay event
debug dhcprelay packet

Can you send the the results to share with us ?

Why do you have this config :
dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

on the HQ FW?

And what is the IP address of the DHCP server? If it is 192.0.2.1, then you should not configure the DHCP relay on the HQ ASA, and modify the remote side config so that the DHCPrelay server is 192.0.2.1 and not 192.168.2.1

Hi there

I have realised that this component,

dhcprelay server 192.0.2.1 lan
dhcprelay enable outside
dhcprelay timeout 60

is not needed on HQ ASA.

I have removed this.


on Remote Site ASA, 192.168.2.1 was also an error,  it should be

dhcprelay server 192.0.2.1 outside
dhcprelay enable inside
dhcprelay setroute inside

Sorry about the confusion....

It is still not working though.  I am starting to resent using the Cisco ASA 5505 at remote site, because I know that with C871-K9, this would have been a breeze to configure....

Any thoughts?

do you have access lists for traffic between the two networks?  post the configs

i'ved one the same with still no luck.
have you got this working?