Dhcp Issue Relay through ASA Firewall

Posted on 2012-09-21
Medium Priority
Last Modified: 2012-09-30
I have 3 networks with an ASA firewall between them and my main network.  One of these is just for routing and contains an interface on the firewall, the other 2 are client networks which route through that network.  My dhcp server is on the main network on the other side of the firewall from the 2 client networks.  I am using IP helper-Address commands on cisco layer 3 switches pointing to my DHCP server and then rules allowing port 67 and 68 through the firewall to the server.  I see hits on the rules but do not get an address.  The scope worked before I added the firewall.
Question by:Jared_Brown
LVL 37

Expert Comment

ID: 38424525
is the ASA running NAT, or in transparent mode ?
LVL 65

Expert Comment

ID: 38424615
Wonder if you have dhcp relay for asa...instead of ip helper address to simplify
LVL 22

Expert Comment

ID: 38425674
Can you post a network diagram with the various IP subnets and the firewall configs?

Accepted Solution

Jared_Brown earned 0 total points
ID: 38433335
Good morning everyone.  The ASA is running in routed mode,  The ASA is not the gateway for the client subnets it terminates a routing subnet to into which the client subnets converge.

The issue seems to have been some kind of address caching, It was not working when I went home on Friday, but It was when I came back in on Monday and has continued to work since.

Author Closing Comment

ID: 38448338
As it turns out the origional configuration was correct but old information must have been held somewhere in the network, or something like that which resolved itself with time.  The problem resolved itself after a few hours had passed.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question