[c-nsp] Relaying DHCP through small remote VPN (ASA 5505)...
Ryan West
rwest at zyedge.com
Thu Sep 2 11:34:59 EDT 2010
Jeff,
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jeff Kell
> Sent: Thursday, September 02, 2010 10:21 AM
> To: cisco-nsp
> Subject: [c-nsp] Relaying DHCP through small remote VPN (ASA 5505)...
>
> Have a remote setup w/ASA 5505... essentially setting up a site-to-site
> tunnel and routing a local inside subnet back to the main campus. (Default
> inside route part of crypto-map match so all traffic is tunneled).
>
> Everything is working, but I'm less than excited about the 5505s DHCP
> abilities, would rather have the remote addressing managed by our central
> server.
>
> If I enable "DHCP relay" on the inside interface, it insists that the DHCP server
> target is "not" on the inside interface. If I direct it to the outside interface, it
> doesn't go over the tunnel and gets dropped. If I try to specify the relay
> target on the inside interface, it gives an error that it can't reside on an
> interface where relay is enabled.
>
> I suspect I need an outside route that also tunnels?
>
I think you'll need to another line to your interesting traffic ACL for the public address of the firewall to inside address of your DHCP server. Have you tried adding 'management-access inside' and see if you still get the DHCP target error?
-ryan
More information about the cisco-nsp
mailing list