asked on Cisco DHCP Relay Agent ASA 5505 to ASA 5515-X Windows Server not working
Current setup is as follows:
Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?
ASA Version 8.2(5)
interface Vlan1
nameif inside
security-level 100
ip address 10.156.33.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 70.xx.xx.xx 255.255.255.252
access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc
dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
**************************
ASA Version 9.1(1)
object network obj-10.156.0.29
host 10.156.0.29
object network obj-70.xx.xx.xx
host 70.xx.xx.xx
object network obj-10.156.33.1
host 10.156.33.1
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?
ASA Version 8.2(5)
interface Vlan1
nameif inside
security-level 100
ip address 10.156.33.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 70.xx.xx.xx 255.255.255.252
access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc
dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
**************************
ASA Version 9.1(1)
object network obj-10.156.0.29
host 10.156.0.29
object network obj-70.xx.xx.xx
host 70.xx.xx.xx
object network obj-10.156.33.1
host 10.156.33.1
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
CiscoDHCP
Last Comment
Michael Ortega
Does the Windows DHCP server at corporate, have a 'route' to the subnet on the remote site?
ASKER
Yes it does. I can ping the remote subnet from directly on the DHCP server at corporate.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
After calling Cisco, my solution got the issue resolved.
The article covered all those elements. It's possible that you overlooked the reference to the access-list portion that allowed trusted host from the public IP of the remote end (on both ends) because the article technically used non-routable private IP's on both the inside and the outside of their ASA's.
The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)
MO
The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)
MO