Cisco ASA: DHCP Relay Over VPN

KB ID 0001501


A few weeks ago this was asked on one of the forums I post in. For a long time the ASA didn’t support DHCP relay then finally in version 9 it was added. The question was, can I provide DHCP relay but have the DHCP server on another site (connected via VPN). 

Well I wasn’t sure, so I put it on the mental back burner, until I got my EVE-NG server rebuilt. Below I knocked up a simple two site setup, then connected them via IPSEC VPN. The DHCP client is Windows 7, and the DHCP Server is 2012 R2.

ASA DHCP Relay over VPN


To be honest it could not be simpler! Obviously the site to site VPN needs to be up or it wont work! The config is simply added to the ASA on the DHCP Client side, (or the left hand one in the example above).

SiteA# configure terminal
SiteA(config)# dhcprelay server outside
SiteA(config)# dhcprelay enable inside
SiteA(config)# dhcprelay timeout 60

Of course you need to have a DHCP scope configured on the server for the subnet at Site A.

DHCP Scope


Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. For this to work, do you need management interface set to inside interface via command:
    management-access inside ?

    Post a Reply
  2. Two questions:

    1. Is it possible to use the internal DHCP on a Cisco ASA on one vlan and use the DHCP relay on another vlan?

    2. If I have several vlans behind the Cisco ASA (client side), how do I configure the scope and scope options so that clients on different vlans get correct IPs? Scope option 3=router?

    Post a Reply
    • 1. This would not be a DHCP relay over VPN? This is just a simple DHCP relay.
      2. Assuming you are coming over a VPN, the the SVI/IP on that VLAN, would be sent in the DHCP requests so the right DHCP scope is matched.


      Post a Reply
      • Yes, question 1 is also about DHCP relay over VPN. One vlan with ASA internal DHCP and one with DHCP relay over VPN. When I try it, the ASA tells me that the internal DHCP can’t run at the same time when using DHCP relay. I have one network on separate vlan which does not have any access to the tunnel. Here it would be nice to use ASA DHCP.

        Post a Reply
        • Right – you can’t be a dhcp relay if you are providing DHCP services 🙂

          Post a Reply
  3. Would this setup be the same for a client that is on an IPSEC VPN? Mainly I am looking to find an answer as to if I could use my internal DHCP server for clients that connect to the ASA for VPN services. This would not be a site to site VPN, but a client-server VPN.


    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *