Link to home
Create AccountLog in
Avatar of amkbailey
amkbaileyFlag for United States of America

asked on

Cisco DHCP Relay Agent ASA 5505 to ASA 5515-X Windows Server not working

Current setup is as follows:

Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?

ASA Version 8.2(5)

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.156.33.1 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 70.xx.xx.xx 255.255.255.252


access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc


dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60

************************************************************************************

ASA Version 9.1(1)

object network obj-10.156.0.29
 host 10.156.0.29
object network obj-70.xx.xx.xx
 host 70.xx.xx.xx
object network obj-10.156.33.1
 host 10.156.33.1
object-group service dhcp-services udp
 port-object eq bootpc
 port-object eq bootps

access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Does the Windows DHCP server at corporate, have a 'route' to the subnet on the remote site?
Avatar of amkbailey

ASKER

Yes it does. I can ping the remote subnet from directly on the DHCP server at corporate.
SOLUTION
Avatar of Michael Ortega
Michael Ortega
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
After calling Cisco, my solution got the issue resolved.
The article covered all those elements. It's possible that you overlooked the reference to the access-list portion that allowed trusted host from the public IP of the remote end (on both ends) because the article technically used non-routable private IP's on both the inside and the outside of their ASA's.

The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)

MO