Cisco DHCP Relay Agent ASA 5505 to ASA 5515-X Windows Server not working

Current setup is as follows:

Remote office (ASA 5505 running 8.2(5) firmware) has an IPSEC tunnel working fine to Corporate office (ASA 5515-X running 9.1(1) firmware). Can ping across back and forth no problem. I added the following lines to each device in order to get DHCP Relay to work so that the remote office can get IP addresses from the Windows server 10.156.0.29 at corporate. DHCP Scope is setup correctly on the Windows server. I ran DHCP debug on the 5505 and don't seem to get the following line in the output - Received a BOOTREPLY from interface 1. Can anyone point me in the right direction?

ASA Version 8.2(5)

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.156.33.1 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 70.xx.xx.xx 255.255.255.252


access-list outside_2_cryptomap extended permit ip object-group Sites AH 255.255.0.0
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootpc
access-list outside_2_cryptomap extended permit udp interface outside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootps
access-list outside_2_cryptomap extended permit udp interface inside host 10.156.0.29 eq bootpc


dhcprelay server 10.156.0.29 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60

************************************************************************************

ASA Version 9.1(1)

object network obj-10.156.0.29
 host 10.156.0.29
object network obj-70.xx.xx.xx
 host 70.xx.xx.xx
object network obj-10.156.33.1
 host 10.156.33.1
object-group service dhcp-services udp
 port-object eq bootpc
 port-object eq bootps

access-list outside_2_cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-70.xx.xx.xx object-group dhcp-services
access-list outside_2_cryptomap extended permit udp object obj-10.156.0.29 object obj-10.156.33.1 object-group dhcp-services
amkbaileyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Does the Windows DHCP server at corporate, have a 'route' to the subnet on the remote site?
0
amkbaileyAuthor Commented:
Yes it does. I can ping the remote subnet from directly on the DHCP server at corporate.
0
Michael OrtegaSales & Systems EngineerCommented:
NAT issue. Check this out. It's a good explanation of how to setup DHCP Relay over a VPN tunnel.

https://supportforums.cisco.com/blog/149511

MO
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

amkbaileyAuthor Commented:
mgortega - I saw that link and it helps somewhat but not quite enough to get it working correctly. I had to call Cisco and we finally got it working after a few calls. Here is basically the config needed:

CORP ASA with Windows DHCP Server on local network (10.156.0.29) running 9.1(1)


access-list cryptomap extended permit ip host 10.156.0.29 host 70.x.x.x       "(THIS IS TO ALLOW DHCP SERVER TO TALK TO OUTSIDE INTERFACE OF REMOTE ASA)"

access-list cryptomap extended permit ip 10.156.0.0 255.255.0.0 10.156.33.0 255.255.255.0       "(THIS IS NORMAL ACCESS LIST WHEN YOU BUILD THE VPN TUNNEL ALLOWING CORP NETWORK TO TALK TO REMOTE NETWORK)"

nat (inside,outside) source static obj_10.156.0.0 obj_10.156.0.0 destination static obj_70.x.x.x obj_70.x.x.x no-proxy-arp route-lookup                  "(You have to add the objects before you add the NAT line)"


REMOTE ASA


access-list cryptomap extended permit ip host 70.x.x.x host 10.156.0.29

access-list cryptomap extended permit ip 10.156.33.0 255.255.255.0 10.156.0.0 255.255.0.0

dhcprelay server 10.156.0.29 outside
dhcprelay setrout inside
dhcprelay timeout 60
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amkbaileyAuthor Commented:
After calling Cisco, my solution got the issue resolved.
0
Michael OrtegaSales & Systems EngineerCommented:
The article covered all those elements. It's possible that you overlooked the reference to the access-list portion that allowed trusted host from the public IP of the remote end (on both ends) because the article technically used non-routable private IP's on both the inside and the outside of their ASA's.

The firmware version that they are using the article is a little older (before the new NAT configuration of 8.3.x+)

MO
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.