Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   DHCP relay through a site-to-site VPN (http://www.velocityreviews.com/forums/t301636-dhcp-relay-through-a-site-to-site-vpn.html)

pawn_daniels@yahoo.com 07-19-2006 08:00 AM

DHCP relay through a site-to-site VPN
 
We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
The VPN connection is working fine, and the hosts can access network
resources both ways.

First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
It has scopes for both networks. The PIX at the 10.0.2.0 site is
configured as a DHCP relay using this config:

dhcprelay server 10.0.1.10 outside
dhcprelay enable inside

However, the setup doesn't work. The clients at the 10.0.2.0 network
don't get their IP from the DHCP server at 10.0.1.0 site. The local
clients at the 10.0.1.0 site do get their IPs from their scope.

This is what the PIX at site 10.0.2.0 shows:

pix501# sh dhcpr stat
Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 45
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0

I've found very little documentation from Cisco regarding DHCP relay
through a VPN connection.

Any ideas what to try?


Merv 07-19-2006 10:32 AM

Re: DHCP relay through a site-to-site VPN
 
Did you reboot the PIX after you configured the DHCP relay ?

I believe there is a Cisoc bug that requires a reboot.


pawn_daniels@yahoo.com 07-19-2006 06:27 PM

Re: DHCP relay through a site-to-site VPN
 

Merv kirjoitti:

> Did you reboot the PIX after you configured the DHCP relay ?
> I believe there is a Cisoc bug that requires a reboot.


I've also heard about the bug, and yes, the PIX has been rebooted after
configuring the DHCP relay. Quite a few times, actually. Rebooting
didn't solve the problem.

Any other ideas?


Merv 07-19-2006 07:02 PM

Re: DHCP relay through a site-to-site VPN
 
use the capture command to verify that PIX is receiving DHCP requests
on inside interface and sending them on outside interface

no access-list DHCP
access-list DHCP permit udp any any eq bootpc
access-list DHCP permit udp any any eq bootps

capture capture1 access-list DHCP interface inside
capture capture2 access-list DHCP interface outside

show capture1
show capture2


RC 07-20-2006 05:24 PM

Re: DHCP relay through a site-to-site VPN
 
A little alternative advice. Don't use DHCP relay, use the DHCP server on
the PIX. With the relay you add traffic (albeit only a little) and if the
Internet connection or VPN tunnel goes down, you also loose your DHCP
service.


<pawn_daniels@yahoo.com> wrote in message
news:1153296031.351225.249020@75g2000cwc.googlegro ups.com...
> We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
> site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
> The VPN connection is working fine, and the hosts can access network
> resources both ways.
>
> First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
> It has scopes for both networks. The PIX at the 10.0.2.0 site is
> configured as a DHCP relay using this config:
>
> dhcprelay server 10.0.1.10 outside
> dhcprelay enable inside
>
> However, the setup doesn't work. The clients at the 10.0.2.0 network
> don't get their IP from the DHCP server at 10.0.1.0 site. The local
> clients at the 10.0.1.0 site do get their IPs from their scope.
>
> This is what the PIX at site 10.0.2.0 shows:
>
> pix501# sh dhcpr stat
> Packets Relayed
> BOOTREQUEST 0
> DHCPDISCOVER 45
> DHCPREQUEST 0
> DHCPDECLINE 0
> DHCPRELEASE 0
> DHCPINFORM 0
>
> BOOTREPLY 0
> DHCPOFFER 0
> DHCPACK 0
> DHCPNAK 0
>
> I've found very little documentation from Cisco regarding DHCP relay
> through a VPN connection.
>
> Any ideas what to try?
>




--
Posted via a free Usenet account from http://www.teranews.com


pawn_daniels@yahoo.com 07-21-2006 05:48 AM

Re: DHCP relay through a site-to-site VPN
 
> use the capture command to verify that PIX is receiving DHCP requests
> on inside interface and sending them on outside interface


It seems to work:

pix501(config)# sh cap capture1
7 packets captured
16:45:59.979288 0.0.0.0.68 > 255.255.255.255.67: udp 300
....
16:47:27.017104 0.0.0.0.68 > 255.255.255.255.67: udp 300
7 packets shown

pix501(config)# sh cap capture2
8 packets captured
16:45:54.988504 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
....
16:47:27.017577 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
8 packets shown

However, nothing gets to the DHCP server at site1. I ran a network
monitor there, and no packet reaches the server. So I guess the problem
is the PIX at site1?

Here's some configs from boths PIXes...


PIX at site 1:

name 10.0.2.0 site2
access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0
site2 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
255.255.255.0
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside 10.0.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address yyy.yyy.yyy.yyy netmask 255.255.255.255
no-xauth no-config-mode


PIX at site 2:

name 10.0.1.0 site1
access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0
site1 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0
ip address outside yyy.yyy.yyy.yyy 255.255.255.224
ip address inside 10.0.2.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
dhcprelay server 10.0.1.10 outside
dhcprelay enable inside


Merv 07-21-2006 10:47 AM

Re: DHCP relay through a site-to-site VPN
 

So it would appear the PIX DHCP relay agent feature is working just
fine.


Perhaps the DHCP traffic is not being permitted by the crypto map
Since you masked out the IP address for the outbound DHCP packet I will
assume that it is the outside interface. If that is the case then your
crypto map does not not permit that to be placed into the VPN tunnel
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0


See Cisco PIX config example for SNMP and SYSLOG over VPN tunnel:
http://www.cisco.com/en/US/products/...ation_example0

SNMP and SYSLOG both use UDP as transport.


pawn_daniels@yahoo.com 07-25-2006 05:17 AM

Re: DHCP relay through a site-to-site VPN
 

> Perhaps the DHCP traffic is not being permitted by the crypto map
> Since you masked out the IP address for the outbound DHCP packet I will
> assume that it is the outside interface. If that is the case then your
> crypto map does not not permit that to be placed into the VPN tunnel


Yes, the masked xxx-address is the outside interface address of the PIX
at site2.

After reading the config example for SNMP and SYSLOG over VPN, I
changed the access-lists like this:

PIX at site 1:
name 10.0.2.0 site2
access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
255.255.255.0
access-list outside_cryptomap_20 permit ip host 10.0.1.10 host
xxx.xxx.xxx.xxx

PIX at site 2:
name 10.0.1.0 site1
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0
access-list outside_cryptomap_20 permit ip host xxx.xxx.xxx.xxx host
10.0.1.10

It still doesn't work...


LazioSam 07-25-2006 07:21 AM

Change your PIX 1's DHCP to none, and the DHCP Server(win2k3) use fixed IP, you set it manually.
Then have a try.

you can also check the DHCP Server PC's Port status, use cmd "netstat -an" to see the active ports, if PIX1 's DHCP is "Server", the 67,68 ports (dhcp server)of Win2003 are not active, then when you change the PIX1's DHCP to "none", these two ports of Win2003 are work.

That's what I met before when I used DHCP Relay through a site-to-site VPN.
But my Router is not Cisco's PIX. So I don't know whether this method is useful for you.


I also want to know why, maybe we can talk it

Merv 07-25-2006 06:02 PM

Re: DHCP relay through a site-to-site VPN
 
does show access-list show any hits against the second entry in the
crypto access-list ?



All times are GMT. The time now is 10:05 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.