Document ID: 71513
This document provides a step-by-step guide for how to configure a PIX 500 Series Security Appliance or Cisco Adaptive Security Appliance (ASA) to be a Dynamic Host Configuration Protocol (DHCP) relay. Refer to PIX/ASA as a DHCP Server and Client Configuration Example for information on how to configure a security appliance to be a DHCP server or client.
The DHCP protocol supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server address, and WINS address to hosts. Initially, DHCP clients have none of these configuration parameters. They obtain this information by sending a broadcast request for it. When a DHCP server sees this request, the DHCP server supplies the necessary information. Due to the nature of these broadcast requests, the DHCP client and server must be on the same subnet. Layer 3 devices such as routers and firewalls do not typically forward these broadcast requests by default.
An attempt to locate DHCP clients and a DHCP server on the same subnet might not always be convenient. In such a situation, you can use DHCP relay. When the DHCP relay agent on the security appliance receives a DHCP request from a host on an inside interface, it forwards the request to one of the specified DHCP servers on an outside interface. When the DHCP server replies to the client, the security appliance forwards that reply back. Thus, the DHCP relay agent acts as a proxy for the DHCP client in its conversation with the DHCP server.
This document focuses on how to configure the PIX/ASA as a DHCP relay using the Cisco Adaptive Security Device Manager (ASDM).
A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router or other DHCP server connected to a different interface.
These restrictions apply to the use of the DHCP relay agent:
The relay agent cannot be enabled if the DHCP server feature is also enabled.
Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router.
For multiple context mode, you cannot enable DHCP relay, or configure a DHCP relay server on an interface that is used by more than one context.
Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:
One ACL that allows DHCP requests from the inside interface to the outside
One ACL that allows the replies from the server in the other direction
This document assumes that the PIX Security Appliance or ASA is fully operational and configured to allow the Cisco ASDM to make configuration changes.
Note: Refer to Allowing HTTPS Access for ASDM to allow the device to be configured by the ASDM.
The information in this document is based on these software and hardware versions:
PIX 500 Series Security Appliance 7.x
Cisco ASDM 5.x
Cisco 3640 Router
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This configuration can also be used with Cisco Adaptive Security Appliance 7.x.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment.
This document uses these configurations:
Complete these steps in order to configure the PIX Security Appliance or ASA as a DHCP relay using ASDM.
Choose Configuration > Properties > DHCP Services > DHCP Relay and click Add under the DHCP Relay Servers section.
In the window that appears, provide the DHCP Server IP address and the interface on which the DHCP server (router) communicates with DHCP relay (PIX).
Select the interface on which the DHCP clients reside and click Edit in order to enable the DHCP relay agent (inside interface in this example).
Check the Enable DHCP Relay Agent on the inside interface and Set Route options in the window that appears and click OK. If you choose the Set Route option, it causes the default IP address of the DHCP reply to be substituted with the address of the security appliance interface.
After you specify the DHCP server IP address and enable the DHCP relay on the required interface, click Apply in order to deliver the commands to the PIX Security Appliance. In order to enable the Command Preview option as this window shows, choose Edit > Preferences.
This configuration is created by the ASDM:
pix2#show running-config : Saved : PIX Version 7.2(1) ! hostname pix2 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 10.1.1.11 255.255.255.0 ! interface Ethernet1 nameif outside security-level 0 ip address 10.2.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 logging enable mtu inside 1500 mtu outside 1500 no failover no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcprelay server 10.2.1.2 outside !--- Enter this command in order to set the !--- IP address of a DHCP server on a different !--- interface from the DHCP client. dhcprelay enable inside !--- Enter this command in order to !--- enable DHCP relay on the interface connected to the clients. dhcprelay setroute inside !--- Enter this command to cause the default IP address of the DHCP reply !--- to be substituted with the address of the security appliance inside interface. dhcprelay timeout 60 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:5622a28fdcd8b8ac8f1365354a62166e : end pix2#
This configuration is created by the Security Device Manager (SDM) on the DHCP server:
Router#show running-config run Building configuration... Current configuration : 1053 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 $1$8nFh$FRPKRgtLUwcCxuG3r.Mzl/ ! no aaa new-model ! resource policy ! ! ! ip cef no ip dhcp use vrf connected !--- This command specifies IP addresses !--- that a DHCP server should not assign to DHCP clients. ip dhcp excluded-address 10.1.1.11 10.1.1.254 ! !--- This command configures a DHCP address pool on a Cisco IOS® !--- DHCP server and enters DHCP pool configuration mode. ip dhcp pool pool1 import all network 10.1.1.0 255.255.255.0 ! ! interface Ethernet0/0 ip address 10.2.1.2 255.255.255.0 full-duplex ! interface Serial2/0 ip address 172.16.1.1 255.255.255.0 ! interface Serial2/1 no ip address shutdown ! interface Serial2/2 no ip address shutdown ! interface Serial2/3 no ip address shutdown ! ip http server no ip http secure-server ! !--- This command creates a static route in order to !--- route the reply packets to the DHCP relay interface. ip route 10.1.1.0 255.255.255.0 10.2.1.1 ! ! logging source-interface Ethernet0/0 ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password sdmsdm login ! ! end
Complete these steps in order to verify the DHCP statistics and the binding information from the DHCP server and DHCP client using ASDM.
Choose Monitoring > Interfaces > DHCP > DHCP Statistics in order to view the statistical information about the DHCP relay services.
This window appears and provides information on several DHCP message types such as DHCPDISCOVER, DHCP REQUEST, DHCP OFER, DHCP RELEASE, DHCP ACK and so on.
Choose Monitoring > Logging > Real-time Log Viewer > Enable Logging in order to view the real time logs for the DHCP relay services.
A user confirmation window appears. Click OK in order to continue.
This window shows the sample real time logs. This example shows the status of the UDP connections built between the DHCP server and DHCP client using port numbers 67 and 68.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug dhcprelay event—Displays event information that is associated with DHCP relay.
debug dhcprelay packet—Displays packet information that is associated with DHCP relay.
|DHCP Relay (PIX)|
pix2#debug dhcprelay event debug dhcprelay event enabled at level pix2#debug dhcprelay packet debug dhcprelay packet enabled at level pix2#configure terminal pix2(config)#logging enable DHCPD: setting giaddr to 10.1.1.11. !--- DHCP request forwarded to DHCP server !--- interface 10.2.1.2. dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 0016.3633.339c. DHCPRA: Adding rule to allow client to respond using offered address 10.1.1.2 !--- After the reply is received from the DHCP server, the !--- security appliance forwards it to the DHCP client !--- with MAC address 0016.3633.339c and changes the !--- gateway address to its own inside interface. DHCPRA: forwarding reply to client 0016.3633.339c. DHCPRA: relay binding found for client 0016.3633.339c. DHCPD: setting giaddr to 10.1.1.11. dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 0016.3633.339c. DHCPRA: forwarding reply to client 0016.3633.339c. DHCPRA: relay binding found for client 0016.3633.339c. DHCPD: setting giaddr to 10.1.1.11. dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 0016.3633.339c. DHCPRA: forwarding reply to client 0016.3633.339c. DHCPRA: relay binding found for client 0016.3633.339c. DHCPD: setting giaddr to 10.1.1.11. dhcpd_forward_request: request from 0016.3633.339c forwarded to 10.2.1.2. DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 0016.3633.339c. DHCPRA: exchange complete - relay binding deleted for client 0016.3633.339c. DHCPD: returned relay binding 10.1.1.11/0016.3633.339c to address pool. dhcpd_destroy_binding() removing NP rule for client 10.1.1.11 DHCPRA: forwarding reply to client 0016.3633.339c.
|DHCP Server (Router)|
Router#debug ip dhcp server events Router#debug ip dhcp server packets Router#configure terminal Router(config)#logging console !--- Receives the DHCP request from the client *Oct 4 02:59:54.273: DHCPD: DHCPREQUEST received from client 0100.1636.3333.9c. *Oct 4 02:59:54.273: DHCPD: Sending notification of ASSIGNMENT: !--- IP address 10.1.1.2 leased to the client *Oct 4 02:59:54.273: DHCPD: address 10.1.1.2 mask 255.255.255.0 *Oct 4 02:59:54.273: DHCPD: htype 1 chaddr 0016.3633.339c !--- Lease time for the IP address *Oct 4 02:59:54.273: DHCPD: lease time remaining (secs) = 86400 *Oct 4 02:59:54.277: DHCPD: No default domain to append - abort update *Oct 4 02:59:54.277: DHCPD: Sending DHCPACK to client 0100.1636.3333.9c (10.1.1 .2). *Oct 4 02:59:54.277: DHCPD: unicasting BOOTREPLY for client 0016.3633.339c to r elay 10.1.1.11.
Error: DHCP: Cannot enable DHCP Relay on an interface running DHCP Proxy. Remove VPN DHCP config first.
The Error: DHCP: Cannot enable DHCP Relay on an interface running DHCP Proxy. Remove VPN DHCP config first error message appears.
This error happens if both DHCP relay and DHCP proxy are enabled. Ensure that either DHCP relay or DHCP proxy are enabled, but not both. Refer to the Cisco bug ID CSCsd22469 (registered customers only) for more information.
- PIX Security Appliance Support Page
- Cisco Secure PIX Firewall Command References
- Documentation for PIX Firewall
- Cisco ASDM Support page
- Technical Support & Documentation - Cisco Systems
|Updated: Oct 13, 2008||Document ID: 71513|