Cisco DHCP Relay Agent ASA 5505 to ASA 5515-X Windows Server not working
Current setup is as follows:
Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?
ASA Version 8.2(5)
interface Vlan1
nameif inside
security-level 100
ip address 10.156.33.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 70.xx.xx.xx 255.255.255.252
access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc
dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
**************************
ASA Version 9.1(1)
object network obj-10.156.0.29
host 10.156.0.29
object network obj-70.xx.xx.xx
host 70.xx.xx.xx
object network obj-10.156.33.1
host 10.156.33.1
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?
ASA Version 8.2(5)
interface Vlan1
nameif inside
security-level 100
ip address 10.156.33.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 70.xx.xx.xx 255.255.255.252
access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc
dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
**************************
ASA Version 9.1(1)
object network obj-10.156.0.29
host 10.156.0.29
object network obj-70.xx.xx.xx
host 70.xx.xx.xx
object network obj-10.156.33.1
host 10.156.33.1
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
Pete Long
Does the Windows DHCP server at corporate, have a 'route' to the subnet on the remote site?
ASKER
Yes it does. I can ping the remote subnet from directly on the DHCP server at corporate.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After calling Cisco, my solution got the issue resolved.
The article covered all those elements. It's possible that you overlooked the reference to the access-list portion that allowed trusted host from the public IP of the remote end (on both ends) because the article technically used non-routable private IP's on both the inside and the outside of their ASA's.
The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)
MO
The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)
MO