Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

PIX/ASA 7.x as a DHCP Relay Configuration Example

Document ID: 71513

Updated: Oct 13, 2008

   Print

Introduction

This document provides a step-by-step guide for how to configure a PIX 500 Series Security Appliance or Cisco Adaptive Security Appliance (ASA) to be a Dynamic Host Configuration Protocol (DHCP) relay. Refer to PIX/ASA as a DHCP Server and Client Configuration Example for information on how to configure a security appliance to be a DHCP server or client.

The DHCP protocol supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server address, and WINS address to hosts. Initially, DHCP clients have none of these configuration parameters. They obtain this information by sending a broadcast request for it. When a DHCP server sees this request, the DHCP server supplies the necessary information. Due to the nature of these broadcast requests, the DHCP client and server must be on the same subnet. Layer 3 devices such as routers and firewalls do not typically forward these broadcast requests by default.

An attempt to locate DHCP clients and a DHCP server on the same subnet might not always be convenient. In such a situation, you can use DHCP relay. When the DHCP relay agent on the security appliance receives a DHCP request from a host on an inside interface, it forwards the request to one of the specified DHCP servers on an outside interface. When the DHCP server replies to the client, the security appliance forwards that reply back. Thus, the DHCP relay agent acts as a proxy for the DHCP client in its conversation with the DHCP server.

This document focuses on how to configure the PIX/ASA as a DHCP relay using the Cisco Adaptive Security Device Manager (ASDM).

Prerequisites

A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router or other DHCP server connected to a different interface.

These restrictions apply to the use of the DHCP relay agent:

  • The relay agent cannot be enabled if the DHCP server feature is also enabled.

  • Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router.

  • For multiple context mode, you cannot enable DHCP relay, or configure a DHCP relay server on an interface that is used by more than one context.

Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:

  • One ACL that allows DHCP requests from the inside interface to the outside

    and

  • One ACL that allows the replies from the server in the other direction

Requirements

This document assumes that the PIX Security Appliance or ASA is fully operational and configured to allow the Cisco ASDM to make configuration changes.

Note: Refer to Allowing HTTPS Access for ASDM to allow the device to be configured by the ASDM.

Components Used

The information in this document is based on these software and hardware versions:

  • PIX 500 Series Security Appliance 7.x

  • Cisco ASDM 5.x

  • Cisco 3640 Router

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with Cisco Adaptive Security Appliance 7.x.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

pix-asa-dhcp-relay-network-diag.gif

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 leavingcisco.com addresses which have been used in a lab environment.

Configurations

This document uses these configurations:

DHCP Relay Configuration using ASDM

Complete these steps in order to configure the PIX Security Appliance or ASA as a DHCP relay using ASDM.

  1. Choose Configuration > Properties > DHCP Services > DHCP Relay and click Add under the DHCP Relay Servers section.

    pix-asa-dhcp-relay-1.gif

  2. In the window that appears, provide the DHCP Server IP address and the interface on which the DHCP server (router) communicates with DHCP relay (PIX).

    pix-asa-dhcp-relay-2.gif

  3. Select the interface on which the DHCP clients reside and click Edit in order to enable the DHCP relay agent (inside interface in this example).

    pix-asa-dhcp-relay-3.gif

  4. Check the Enable DHCP Relay Agent on the inside interface and Set Route options in the window that appears and click OK. If you choose the Set Route option, it causes the default IP address of the DHCP reply to be substituted with the address of the security appliance interface.

    pix-asa-dhcp-relay-4.gif

  5. After you specify the DHCP server IP address and enable the DHCP relay on the required interface, click Apply in order to deliver the commands to the PIX Security Appliance. In order to enable the Command Preview option as this window shows, choose Edit > Preferences.

    pix-asa-dhcp-relay-5.gif

DHCP Relay Final Configuration

This configuration is created by the ASDM:

DHCP Relay
pix2#show running-config
: Saved
:
PIX Version 7.2(1)
!
hostname pix2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 10.1.1.11 255.255.255.0
!
interface Ethernet1
 nameif outside
 security-level 0
 ip address 10.2.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
no failover
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server 10.2.1.2 outside

!--- Enter this command in order to set the 
!--- IP address of a DHCP server on a different
!--- interface from the DHCP client.

dhcprelay enable inside

!--- Enter this command in order to 
!--- enable DHCP relay on the interface connected to the clients.

dhcprelay setroute inside

!--- Enter this command to cause the default IP address of the DHCP reply
!--- to be substituted with the address of the security appliance inside interface.

dhcprelay timeout 60

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5622a28fdcd8b8ac8f1365354a62166e
: end
pix2#

DHCP Server Configuration

This configuration is created by the Security Device Manager (SDM) on the DHCP server:

DHCP Server
Router#show running-config
 run
Building configuration...

Current configuration : 1053 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8nFh$FRPKRgtLUwcCxuG3r.Mzl/
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected

!--- This command specifies IP addresses 
!--- that a DHCP server should not assign to DHCP clients.

ip dhcp excluded-address 10.1.1.11 10.1.1.254
!

!--- This command configures a DHCP address pool on a Cisco IOS®
!--- DHCP server and enters DHCP pool configuration mode.

ip dhcp pool pool1
   import all
   network 10.1.1.0 255.255.255.0
!
!
interface Ethernet0/0
 ip address 10.2.1.2 255.255.255.0
 full-duplex
!
interface Serial2/0
 ip address 172.16.1.1 255.255.255.0
!
interface Serial2/1
 no ip address
 shutdown
!
interface Serial2/2
 no ip address
 shutdown
!
interface Serial2/3
 no ip address
 shutdown
!
ip http server
no ip http secure-server
!

!--- This command creates a static route in order to 
!--- route the reply packets to the DHCP relay interface.

ip route 10.1.1.0 255.255.255.0 10.2.1.1
!
!
logging source-interface Ethernet0/0
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password sdmsdm
 login
!
!
end

Verify

Complete these steps in order to verify the DHCP statistics and the binding information from the DHCP server and DHCP client using ASDM.

  1. Choose Monitoring > Interfaces > DHCP > DHCP Statistics in order to view the statistical information about the DHCP relay services.

    This window appears and provides information on several DHCP message types such as DHCPDISCOVER, DHCP REQUEST, DHCP OFER, DHCP RELEASE, DHCP ACK and so on.

    pix-asa-dhcp-relay-6.gif

  2. Choose Monitoring > Logging > Real-time Log Viewer > Enable Logging in order to view the real time logs for the DHCP relay services.

    A user confirmation window appears. Click OK in order to continue.

    pix-asa-dhcp-relay-7.gif

    This window shows the sample real time logs. This example shows the status of the UDP connections built between the DHCP server and DHCP client using port numbers 67 and 68.

    pix-asa-dhcp-relay-8.gif

Troubleshoot

Troubleshooting Commands

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • debug dhcprelay event—Displays event information that is associated with DHCP relay.

  • debug dhcprelay packet—Displays packet information that is associated with DHCP relay.

DHCP Relay Debug Outputs

DHCP Relay (PIX)
pix2#debug dhcprelay event
debug dhcprelay event enabled at level
pix2#debug dhcprelay packet
debug dhcprelay packet enabled at level 
pix2#configure terminal
pix2(config)#logging enable
DHCPD: setting giaddr to 10.1.1.11.


!--- DHCP request forwarded to DHCP server
!--- interface 10.2.1.2.

dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPRA: Adding rule to allow client to respond using offered address 10.1.1.2


!--- After the reply is received from the DHCP server, the 
!--- security appliance forwards it to the DHCP client 
!--- with MAC address 0016.3633.339c and changes the 
!--- gateway address to its own inside interface.

DHCPRA: forwarding reply to client 0016.3633.339c.
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPD: setting giaddr to 10.1.1.11.
dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPRA: forwarding reply to client 0016.3633.339c.
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPD: setting giaddr to 10.1.1.11.
dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPRA: forwarding reply to client 0016.3633.339c.
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPD: setting giaddr to 10.1.1.11.
dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: relay binding found for client 0016.3633.339c.
DHCPRA: exchange complete - relay binding deleted for client 0016.3633.339c.
DHCPD: returned relay binding 10.1.1.11/0016.3633.339c to address pool.
dhcpd_destroy_binding() removing NP rule for client 10.1.1.11
DHCPRA: forwarding reply to client 0016.3633.339c.

DHCP Server Debug Outputs

DHCP Server (Router)
Router#debug ip dhcp server events
Router#debug ip dhcp server packets
Router#configure terminal
Router(config)#logging console

!--- Receives the DHCP request from the client

*Oct  4 02:59:54.273: DHCPD: DHCPREQUEST received from client 0100.1636.3333.9c.
*Oct  4 02:59:54.273: DHCPD: Sending notification of ASSIGNMENT:

!--- IP address 10.1.1.2 leased to the client

*Oct  4 02:59:54.273:  DHCPD: address 10.1.1.2 mask 255.255.255.0
*Oct  4 02:59:54.273:   DHCPD: htype 1 chaddr 0016.3633.339c

!--- Lease time for the IP address 

*Oct  4 02:59:54.273:   DHCPD: lease time remaining (secs) = 86400
*Oct  4 02:59:54.277: DHCPD: No default domain to append - abort update
*Oct  4 02:59:54.277: DHCPD: Sending DHCPACK to client 0100.1636.3333.9c (10.1.1
.2).
*Oct  4 02:59:54.277: DHCPD: unicasting BOOTREPLY for client 0016.3633.339c to r
elay 10.1.1.11.

Error: DHCP: Cannot enable DHCP Relay on an interface running DHCP Proxy. Remove VPN DHCP config first.

Problem

The Error: DHCP: Cannot enable DHCP Relay on an interface running DHCP Proxy. Remove VPN DHCP config first error message appears.

Solution

This error happens if both DHCP relay and DHCP proxy are enabled. Ensure that either DHCP relay or DHCP proxy are enabled, but not both. Refer to the Cisco bug ID CSCsd22469 (registered customers only) for more information.

Related Information

Updated: Oct 13, 2008
Document ID: 71513