1. Home
  2. Cisco Systems
  3. DHCP Relay with Pix 501

DHCP Relay with Pix 501

Hello,

I dont know why people don't reply to any of my posts. But still all I can do is try. I am working on a tunnel between Cisco 837 and Cisco Pix 501(Remote end). I am able to establish connectivity with ipsec tunnels, but I can't get the pix to work as a DHCP relay. I have read through the documentation and used the following commands: dhcprelay server x.x.x.x outside dhcprelay enable inside dhcprelay setroute inside (tried with this command and without) dhcprelay timeout 90 (tried with this command and without)

Now the problem is, I can't ping the dhcp server using the outside interface. I can do it from the inside interface, reason being ipsec tunnels allowing the access through the access-list. But then i cant use - dhcprelay server x.x.x.x inside as i get an error message saying you cant have dhcp requests originating and going to the same interface.

Is there a way to get this working. I cant setup a DHCP server at the remote end as there aren't many clients to justify the cost. I would like to avoid static ip addresses.

Thanks Ankit

Reply to
apsolar
Loading thread data ...

formatting link
Note: Use network extension mode for DHCP clients whose DHCP server is on the other side of an Easy VPN tunnel. Otherwise, if the DHCP client is behind a PIX Firewall VPN Easy Remote device connected to an Easy VPN Server using client mode, then the DHCP client will not be able to get a DHCP IP address from the DHCP server on the other side of the Easy VPN Server.

Reply to
Walter Roberson

Hello Walter,

I am not using an Easy VPN tunnel. I have got a site-to-site IPSEC tunnel between the pix(remote end) and cisco 837 adsl router (central end).

Thanks Ankit

Reply to
apsolar

Hmmm, the original message seems to have disappeared from the server I am using. In particular, there was a part of the original message that said roughly, "I don't know why people don't reply to my posts."

Researching, the answer to that appears to be that the only previous posts under that email address were

1) a question about security profiles for a completely different manufacturer, posted here because this newsgroup is active and the more appropriate resource is not; and 2) a request for confirmation of cisco information believed not to yet have been publically released.

I can't say that I'm astonished that there was has been little response to the questions.

Reply to
Walter Roberson

formatting link
The dhcprelay server command opens a UDP port 67 on the specified interface for the specified server and starts the DHCP relay task as soon as a dhcprelay enable command is added to the configuration.

The implication is that the IP address of the relay port is the outside IP address of the server. If that address doesn't reach the client site via VPN, then add the -outside- address into the VPN match address configuration. (Yes, this is completely legal: you can tunnel to/from the -outside- IP just by listing it as a possible source in the crypto map ACL.)

Reply to
Walter Roberson

Thanks Walter,

I will try the option of having the outside IP as the source for my crypto ACL.

Thanks again Ankit

Reply to
apsolar

Walter, can't the 837 be a DHCP server, I've worked with anything lower the old 1600? Sure would save this guy a lot of time and cost him nothing, and reduce traffic.

On not getting any replies, it happens to everyone now and then, I've got one (VPN and NAT) that no one has replied to. It just happens, after all there are lots of post and its not like you're paying for it. I also think all the posts don't always get to all the servers. I usually wait as long as I can while trying other resources and if I'm sill stuck, I post again (like I'm about to do).

formatting link

Reply to
RC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.