DHCP relay through a site-to-site VPN

Discussion in 'Cisco' started by pawn_daniels@yahoo.com, Jul 19, 2006.

  1. Guest

    We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
    site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
    The VPN connection is working fine, and the hosts can access network
    resources both ways.

    First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
    It has scopes for both networks. The PIX at the 10.0.2.0 site is
    configured as a DHCP relay using this config:

    dhcprelay server 10.0.1.10 outside
    dhcprelay enable inside

    However, the setup doesn't work. The clients at the 10.0.2.0 network
    don't get their IP from the DHCP server at 10.0.1.0 site. The local
    clients at the 10.0.1.0 site do get their IPs from their scope.

    This is what the PIX at site 10.0.2.0 shows:

    pix501# sh dhcpr stat
    Packets Relayed
    BOOTREQUEST 0
    DHCPDISCOVER 45
    DHCPREQUEST 0
    DHCPDECLINE 0
    DHCPRELEASE 0
    DHCPINFORM 0

    BOOTREPLY 0
    DHCPOFFER 0
    DHCPACK 0
    DHCPNAK 0

    I've found very little documentation from Cisco regarding DHCP relay
    through a VPN connection.

    Any ideas what to try?
     
    , Jul 19, 2006
    #1
    1. Advertising

  2. Merv Guest

    Did you reboot the PIX after you configured the DHCP relay ?

    I believe there is a Cisoc bug that requires a reboot.
     
    Merv, Jul 19, 2006
    #2
    1. Advertising

  3. Guest

    Merv kirjoitti:

    > Did you reboot the PIX after you configured the DHCP relay ?
    > I believe there is a Cisoc bug that requires a reboot.


    I've also heard about the bug, and yes, the PIX has been rebooted after
    configuring the DHCP relay. Quite a few times, actually. Rebooting
    didn't solve the problem.

    Any other ideas?
     
    , Jul 19, 2006
    #3
  4. Merv Guest

    use the capture command to verify that PIX is receiving DHCP requests
    on inside interface and sending them on outside interface

    no access-list DHCP
    access-list DHCP permit udp any any eq bootpc
    access-list DHCP permit udp any any eq bootps

    capture capture1 access-list DHCP interface inside
    capture capture2 access-list DHCP interface outside

    show capture1
    show capture2
     
    Merv, Jul 19, 2006
    #4
  5. RC Guest

    A little alternative advice. Don't use DHCP relay, use the DHCP server on
    the PIX. With the relay you add traffic (albeit only a little) and if the
    Internet connection or VPN tunnel goes down, you also loose your DHCP
    service.


    <> wrote in message
    news:...
    > We have two sites: 10.0.1.0/24 and 10.0.2.0/24. They are connected with
    > site-to-site VPN using two PIX 501s. Both PIXs are running OS 6.3(5).
    > The VPN connection is working fine, and the hosts can access network
    > resources both ways.
    >
    > First site has a DHCP server (Win2003) with an IP address of 10.0.1.10.
    > It has scopes for both networks. The PIX at the 10.0.2.0 site is
    > configured as a DHCP relay using this config:
    >
    > dhcprelay server 10.0.1.10 outside
    > dhcprelay enable inside
    >
    > However, the setup doesn't work. The clients at the 10.0.2.0 network
    > don't get their IP from the DHCP server at 10.0.1.0 site. The local
    > clients at the 10.0.1.0 site do get their IPs from their scope.
    >
    > This is what the PIX at site 10.0.2.0 shows:
    >
    > pix501# sh dhcpr stat
    > Packets Relayed
    > BOOTREQUEST 0
    > DHCPDISCOVER 45
    > DHCPREQUEST 0
    > DHCPDECLINE 0
    > DHCPRELEASE 0
    > DHCPINFORM 0
    >
    > BOOTREPLY 0
    > DHCPOFFER 0
    > DHCPACK 0
    > DHCPNAK 0
    >
    > I've found very little documentation from Cisco regarding DHCP relay
    > through a VPN connection.
    >
    > Any ideas what to try?
    >




    --
    Posted via a free Usenet account from http://www.teranews.com
     
    RC, Jul 20, 2006
    #5
  6. Guest

    > use the capture command to verify that PIX is receiving DHCP requests
    > on inside interface and sending them on outside interface


    It seems to work:

    pix501(config)# sh cap capture1
    7 packets captured
    16:45:59.979288 0.0.0.0.68 > 255.255.255.255.67: udp 300
    ....
    16:47:27.017104 0.0.0.0.68 > 255.255.255.255.67: udp 300
    7 packets shown

    pix501(config)# sh cap capture2
    8 packets captured
    16:45:54.988504 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
    ....
    16:47:27.017577 xxx.xxx.xxx.xxx.67 > 10.0.1.10.67: udp 300
    8 packets shown

    However, nothing gets to the DHCP server at site1. I ran a network
    monitor there, and no packet reaches the server. So I guess the problem
    is the PIX at site1?

    Here's some configs from boths PIXes...


    PIX at site 1:

    name 10.0.2.0 site2
    access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0
    site2 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
    255.255.255.0
    ip address outside xxx.xxx.xxx.xxx 255.255.255.224
    ip address inside 10.0.1.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
    crypto map outside_map 20 set transform-set ESP-AES-256-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address yyy.yyy.yyy.yyy netmask 255.255.255.255
    no-xauth no-config-mode


    PIX at site 2:

    name 10.0.1.0 site1
    access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0
    site1 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
    255.255.255.0
    ip address outside yyy.yyy.yyy.yyy 255.255.255.224
    ip address inside 10.0.2.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
    crypto map outside_map 20 set transform-set ESP-AES-256-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
    no-xauth no-config-mode
    dhcprelay server 10.0.1.10 outside
    dhcprelay enable inside
     
    , Jul 21, 2006
    #6
  7. Merv Guest

    So it would appear the PIX DHCP relay agent feature is working just
    fine.


    Perhaps the DHCP traffic is not being permitted by the crypto map
    Since you masked out the IP address for the outbound DHCP packet I will
    assume that it is the outside interface. If that is the case then your
    crypto map does not not permit that to be placed into the VPN tunnel
    access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
    255.255.255.0


    See Cisco PIX config example for SNMP and SYSLOG over VPN tunnel:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example0

    SNMP and SYSLOG both use UDP as transport.
     
    Merv, Jul 21, 2006
    #7
  8. Guest


    > Perhaps the DHCP traffic is not being permitted by the crypto map
    > Since you masked out the IP address for the outbound DHCP packet I will
    > assume that it is the outside interface. If that is the case then your
    > crypto map does not not permit that to be placed into the VPN tunnel


    Yes, the masked xxx-address is the outside interface address of the PIX
    at site2.

    After reading the config example for SNMP and SYSLOG over VPN, I
    changed the access-lists like this:

    PIX at site 1:
    name 10.0.2.0 site2
    access-list outside_cryptomap_20 permit ip 10.0.1.0 255.255.255.0 site2
    255.255.255.0
    access-list outside_cryptomap_20 permit ip host 10.0.1.10 host
    xxx.xxx.xxx.xxx

    PIX at site 2:
    name 10.0.1.0 site1
    access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 site1
    255.255.255.0
    access-list outside_cryptomap_20 permit ip host xxx.xxx.xxx.xxx host
    10.0.1.10

    It still doesn't work...
     
    , Jul 25, 2006
    #8
  9. LazioSam

    Joined:
    Jul 25, 2006
    Messages:
    1
    Change your PIX 1's DHCP to none, and the DHCP Server(win2k3) use fixed IP, you set it manually.
    Then have a try.

    you can also check the DHCP Server PC's Port status, use cmd "netstat -an" to see the active ports, if PIX1 's DHCP is "Server", the 67,68 ports (dhcp server)of Win2003 are not active, then when you change the PIX1's DHCP to "none", these two ports of Win2003 are work.

    That's what I met before when I used DHCP Relay through a site-to-site VPN.
    But my Router is not Cisco's PIX. So I don't know whether this method is useful for you.


    I also want to know why, maybe we can talk it
     
    LazioSam, Jul 25, 2006
    #9
  10. Merv Guest

    does show access-list show any hits against the second entry in the
    crypto access-list ?
     
    Merv, Jul 25, 2006
    #10
  11. brokentwig

    Joined:
    Jun 14, 2007
    Messages:
    1
    I had a very similar issue as above. I couldn't really find an answer on how to relay dhcp requests through a tunnel. I called the TAC and got the answer. Turns out the dhcprelay uses the outside address of the PIX as the source address. You have to add the outside address to the interesting traffic ACL (match address) as well as the nat 0 ACL:

    access-list NoNAT permit IP outside_address dhcpserver_address
    access-list VPN_Interesting permit IP outside_address dhcpserver_address

    And the reverse on the other end. Works like a champ.
     
    brokentwig, Jun 14, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rutger Blom

    Cisco VPN 3005 and DHCP relay

    Rutger Blom, May 25, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,684
    Rutger Blom
    May 25, 2004
  2. Evolution
    Replies:
    2
    Views:
    2,407
    Walter Roberson
    Apr 11, 2006
  3. Captain

    dns relay(through dhcp)...

    Captain, Jul 26, 2006, in forum: Cisco
    Replies:
    4
    Views:
    3,614
    Martin Gallagher
    Jul 30, 2006
  4. Vimokh
    Replies:
    3
    Views:
    5,796
    Vimokh
    Sep 6, 2006
  5. inf2700

    DHCP Relay through VPN

    inf2700, Sep 27, 2006, in forum: Cisco
    Replies:
    0
    Views:
    1,302
    inf2700
    Sep 27, 2006
Loading...

Share This Page