[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


DHCP Relay for Cisco ASA 5505.

Posted on 2009-02-22
Medium Priority
Last Modified: 2012-05-06
I would like to configure my Cisco ASA for DHCP relay and ACLs.

I'm unsure of how to point the ASA to our Cisco Router which handles the DHCP.

Wall -> Cisco 857 Router-> Cisco ASA 5505

I have the Router plugged into the Cisco ASA's outside interface.

The Cisco Router is at and is handing out IPs in a DHCP pool of

I would like devices connected to the ASA to receive IPs from the Cisco Router and exist on the same subnet... At least until we upgrade to a Security Plus license which would allow for DMZ deployment and multiple VLANs.

When I enter these commands into the Cisco ASA, devices connected to en1-en7 only seem to receive self-assigned IPs.

in Vlan2
ip dhcp setroute (So that the outside interface (Vlan2) receives DHCP from the Cisco Router)
clear config dhcpd
dhcprelay server outside
dhcprelay enable inside

The outside interface does receive an IP from the Router in the 10.0.0.x subnet.

It seems that the DHCP is not passing through.

The idea behind the deployment is that I want the Cisco ASA to handle the firewall.

Currently, my Xserve is also acting as a firewall and I'm not comfortable with that.

Thanks in advance for your help.

I will post a sh run tomorrow...
Question by:iBreathe
  • 3
  • 2

Expert Comment

ID: 23710013
You need to set the firewall in transparent mode for it to work like all client were directly behind the router else the firewall will be in layer 3 mode.


Author Comment

ID: 23710552
According to that wiki link, NAT and VPN termination for through traffic are not supported.

Is this true even if I would add access lists?  

It sounds like according to the Wiki I could not have a Web server behind the ASA.


Author Comment

ID: 23710750
To clarify...

Last sentence beginning with "It sounds like..." edited to:

"It sounds like according to the Wiki I could not have a Web Server behind the ASA - while the ASA is in transparent mode..."

Accepted Solution

Donboo earned 500 total points
ID: 23714056
Thats  right if you intent you have NAT running you need the ASA in routed mode. There is no way you can have you servers behind the ASA, while getting IP addresses from the router that is in the same subnet as the ASAs outside interface and the routers inside interface unless its transparent (Atleast that what I read you wanted to do).


Author Closing Comment

ID: 31549904
This means I will probably have to resort to a config that uses DMZ.

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question