KB ID 0001501
Problem
A few weeks ago this was asked on one of the forums I post in. For a long time the ASA didn’t support DHCP relay then finally in version 9 it was added. The question was, can I provide DHCP relay but have the DHCP server on another site (connected via VPN).
Well I wasn’t sure, so I put it on the mental back burner, until I got my EVE-NG server rebuilt. Below I knocked up a simple two site setup, then connected them via IPSEC VPN. The DHCP client is Windows 7, and the DHCP Server is 2012 R2.
Solution
To be honest it could not be simpler! Obviously the site to site VPN needs to be up or it wont work! The config is simply added to the ASA on the DHCP Client side, (or the left hand one in the example above).
[box]
SiteA# configure terminal SiteA(config)# dhcprelay server 192.168.22.20 outside SiteA(config)# dhcprelay enable inside SiteA(config)# dhcprelay timeout 60
[/box]
Of course you need to have a DHCP scope configured on the server for the subnet at Site A.
Related Articles, References, Credits, or External Links
NA
For this to work, do you need management interface set to inside interface via command:
management-access inside ?
No – not at all 🙂
Two questions:
1. Is it possible to use the internal DHCP on a Cisco ASA on one vlan and use the DHCP relay on another vlan?
2. If I have several vlans behind the Cisco ASA (client side), how do I configure the scope and scope options so that clients on different vlans get correct IPs? Scope option 3=router?
1. This would not be a DHCP relay over VPN? This is just a simple DHCP relay.
2. Assuming you are coming over a VPN, the the SVI/IP on that VLAN, would be sent in the DHCP requests so the right DHCP scope is matched.
P
Yes, question 1 is also about DHCP relay over VPN. One vlan with ASA internal DHCP and one with DHCP relay over VPN. When I try it, the ASA tells me that the internal DHCP can’t run at the same time when using DHCP relay. I have one network on separate vlan which does not have any access to the tunnel. Here it would be nice to use ASA DHCP.
Right – you can’t be a dhcp relay if you are providing DHCP services 🙂
Would this setup be the same for a client that is on an IPSEC VPN? Mainly I am looking to find an answer as to if I could use my internal DHCP server for clients that connect to the ASA for VPN services. This would not be a site to site VPN, but a client-server VPN.
Thanks!
No you would do this, (https://www.petenetlive.com/KB/Article/0001050) , that’s written for AnyConnect but it’s the same procedure for IPsec remote VPN clients.
Pete