• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1824
  • Last Modified:

DHCP Relay for Cisco ASA 5505.

I would like to configure my Cisco ASA for DHCP relay and ACLs.

I'm unsure of how to point the ASA to our Cisco Router which handles the DHCP.

Wall -> Cisco 857 Router-> Cisco ASA 5505

I have the Router plugged into the Cisco ASA's outside interface.

The Cisco Router is at and is handing out IPs in a DHCP pool of

I would like devices connected to the ASA to receive IPs from the Cisco Router and exist on the same subnet... At least until we upgrade to a Security Plus license which would allow for DMZ deployment and multiple VLANs.

When I enter these commands into the Cisco ASA, devices connected to en1-en7 only seem to receive self-assigned IPs.

in Vlan2
ip dhcp setroute (So that the outside interface (Vlan2) receives DHCP from the Cisco Router)
clear config dhcpd
dhcprelay server outside
dhcprelay enable inside

The outside interface does receive an IP from the Router in the 10.0.0.x subnet.

It seems that the DHCP is not passing through.

The idea behind the deployment is that I want the Cisco ASA to handle the firewall.

Currently, my Xserve is also acting as a firewall and I'm not comfortable with that.

Thanks in advance for your help.

I will post a sh run tomorrow...
  • 3
  • 2
1 Solution
You need to set the firewall in transparent mode for it to work like all client were directly behind the router else the firewall will be in layer 3 mode.

iBreatheAuthor Commented:
According to that wiki link, NAT and VPN termination for through traffic are not supported.

Is this true even if I would add access lists?  

It sounds like according to the Wiki I could not have a Web server behind the ASA.

iBreatheAuthor Commented:
To clarify...

Last sentence beginning with "It sounds like..." edited to:

"It sounds like according to the Wiki I could not have a Web Server behind the ASA - while the ASA is in transparent mode..."
Thats  right if you intent you have NAT running you need the ASA in routed mode. There is no way you can have you servers behind the ASA, while getting IP addresses from the router that is in the same subnet as the ASAs outside interface and the routers inside interface unless its transparent (Atleast that what I read you wanted to do).

iBreatheAuthor Commented:
This means I will probably have to resort to a config that uses DMZ.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now