Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > DHCP relay through a site-to-site VPN

Reply
Thread Tools

DHCP relay through a site-to-site VPN

 
 
pawn_daniels@yahoo.com
Guest
Posts: n/a
 
      07-19-2006
We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
The VPN connection is working fine, and the hosts can access network
resources both ways.

First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
It has scopes for both networks. The PIX at the 10.0.2.0 site is
configured as a DHCP relay using this config:

dhcprelay server 10.0.1.10 outside
dhcprelay enable inside

However, the setup doesn't work. The clients at the 10.0.2.0 network
don't get their IP from the DHCP server at 10.0.1.0 site. The local
clients at the 10.0.1.0 site do get their IPs from their scope.

This is what the PIX at site 10.0.2.0 shows:

pix501# sh dhcpr stat
Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 45
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0

I've found very little documentation from Cisco regarding DHCP relay
through a VPN connection.

Any ideas what to try?

 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      07-19-2006
Did you reboot the PIX after you configured the DHCP relay ?

I believe there is a Cisoc bug that requires a reboot.

 
Reply With Quote
 
 
 
 
pawn_daniels@yahoo.com
Guest
Posts: n/a
 
      07-19-2006

Merv kirjoitti:

> Did you reboot the PIX after you configured the DHCP relay ?
> I believe there is a Cisoc bug that requires a reboot.


I've also heard about the bug, and yes, the PIX has been rebooted after
configuring the DHCP relay. Quite a few times, actually. Rebooting
didn't solve the problem.

Any other ideas?

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      07-19-2006
use the capture command to verify that PIX is receiving DHCP requests
on inside interface and sending them on outside interface

no access-list DHCP
access-list DHCP permit udp any any eq bootpc
access-list DHCP permit udp any any eq bootps

capture capture1 access-list DHCP interface inside
capture capture2 access-list DHCP interface outside

show capture1
show capture2

 
Reply With Quote
 
RC
Guest
Posts: n/a
 
      07-20-2006
A little alternative advice. Don't use DHCP relay, use the DHCP server on
the PIX. With the relay you add traffic (albeit only a little) and if the
Internet connection or VPN tunnel goes down, you also loose your DHCP
service.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
> site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
> The VPN connection is working fine, and the hosts can access network
> resources both ways.
>
> First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
> It has scopes for both networks. The PIX at the 10.0.2.0 site is
> configured as a DHCP relay using this config:
>
> dhcprelay server 10.0.1.10 outside
> dhcprelay enable inside
>
> However, the setup doesn't work. The clients at the 10.0.2.0 network
> don't get their IP from the DHCP server at 10.0.1.0 site. The local
> clients at the 10.0.1.0 site do get their IPs from their scope.
>
> This is what the PIX at site 10.0.2.0 shows:
>
> pix501# sh dhcpr stat
> Packets Relayed
> BOOTREQUEST 0
> DHCPDISCOVER 45
> DHCPREQUEST 0
> DHCPDECLINE 0
> DHCPRELEASE 0
> DHCPINFORM 0
>
> BOOTREPLY 0
> DHCPOFFER 0
> DHCPACK 0
> DHCPNAK 0
>
> I've found very little documentation from Cisco regarding DHCP relay
> through a VPN connection.
>
> Any ideas what to try?
>




--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
pawn_daniels@yahoo.com
Guest
Posts: n/a
 
      07-21-2006
> use the capture command to verify that PIX is receiving DHCP requests
> on inside interface and sending them on outside interface


It seems to work:

pix501(config)# sh cap capture1
7 packets captured
16:45:59.979288 0.0.0.0.68 > 255.255.255.255.67: udp 300
....
16:47:27.017104 0.0.0.0.68 > 255.255.255.255.67: udp 300
7 packets shown

pix501(config)# sh cap capture2
8 packets captured
16:45:54.988504 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
....
16:47:27.017577 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
8 packets shown

However, nothing gets to the DHCP server at site1. I ran a network
monitor there, and no packet reaches the server. So I guess the problem
is the PIX at site1?

Here's some configs from boths PIXes...


PIX at site 1:

name 10.0.2.0 site2
access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0
site2 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
255.255.255.0
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside 10.0.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address yyy.yyy.yyy.yyy netmask 255.255.255.255
no-xauth no-config-mode


PIX at site 2:

name 10.0.1.0 site1
access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0
site1 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0
ip address outside yyy.yyy.yyy.yyy 255.255.255.224
ip address inside 10.0.2.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
dhcprelay server 10.0.1.10 outside
dhcprelay enable inside

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      07-21-2006

So it would appear the PIX DHCP relay agent feature is working just
fine.


Perhaps the DHCP traffic is not being permitted by the crypto map
Since you masked out the IP address for the outbound DHCP packet I will
assume that it is the outside interface. If that is the case then your
crypto map does not not permit that to be placed into the VPN tunnel
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0


See Cisco PIX config example for SNMP and SYSLOG over VPN tunnel:
http://www.cisco.com/en/US/products/...ation_example0

SNMP and SYSLOG both use UDP as transport.

 
Reply With Quote
 
pawn_daniels@yahoo.com
Guest
Posts: n/a
 
      07-25-2006

> Perhaps the DHCP traffic is not being permitted by the crypto map
> Since you masked out the IP address for the outbound DHCP packet I will
> assume that it is the outside interface. If that is the case then your
> crypto map does not not permit that to be placed into the VPN tunnel


Yes, the masked xxx-address is the outside interface address of the PIX
at site2.

After reading the config example for SNMP and SYSLOG over VPN, I
changed the access-lists like this:

PIX at site 1:
name 10.0.2.0 site2
access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
255.255.255.0
access-list outside_cryptomap_20 permit ip host 10.0.1.10 host
xxx.xxx.xxx.xxx

PIX at site 2:
name 10.0.1.0 site1
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
255.255.255.0
access-list outside_cryptomap_20 permit ip host xxx.xxx.xxx.xxx host
10.0.1.10

It still doesn't work...

 
Reply With Quote
 
LazioSam LazioSam is offline
Junior Member
Join Date: Jul 2006
Posts: 1
 
      07-25-2006
Change your PIX 1's DHCP to none, and the DHCP Server(win2k3) use fixed IP, you set it manually.
Then have a try.

you can also check the DHCP Server PC's Port status, use cmd "netstat -an" to see the active ports, if PIX1 's DHCP is "Server", the 67,68 ports (dhcp server)of Win2003 are not active, then when you change the PIX1's DHCP to "none", these two ports of Win2003 are work.

That's what I met before when I used DHCP Relay through a site-to-site VPN.
But my Router is not Cisco's PIX. So I don't know whether this method is useful for you.


I also want to know why, maybe we can talk it
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      07-25-2006
does show access-list show any hits against the second entry in the
crypto access-list ?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP relay and VPN RC Cisco 0 12-08-2006 11:22 PM
DHCP Relay through VPN inf2700 Cisco 0 09-27-2006 04:18 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
dns relay(through dhcp)... Captain Cisco 4 07-30-2006 02:53 AM
Cisco VPN 3005 and DHCP relay Rutger Blom Cisco 0 05-25-2004 07:58 PM



Advertisments