Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / How to configure DHCP Relay on Cisco ASA Firewall

How to configure DHCP Relay on Cisco ASA Firewall

Written By Harris Andrea

The ASA 5500 and 5500-X series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface.

configuring DHCP relay on Cisco ASA firewall

Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well.

With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server as shown on the high-level diagram below:

requests and replies as relayed by the ASA

Image Source

As you can see from above, the client broadcasts a discover request in order to find a DHCP server. The ASA forwards (relays) the request to another interface towards the server. After that, the client sends a request for IP address which is again relayed by the ASA to the DHCP server.

The diagram below illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server.

MORE READING:  5 Reasons to Buy a Cisco ASA 5505 from Amazon

The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.

Table of Contents

  • Configuration
  • Usage Guidelines
  • Use Cases
    • Related Posts

Configuration

The following configuration works on both the older 5500 series and also the newest 5500-x series (version 9.x).

!First identify the DHCP server and the interface it is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90

!Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside

!Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside

Usage Guidelines

You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

MORE READING:  Cisco ASA QoS for VoIP Traffic

You cannot enable DHCP relay under the following conditions:
• You cannot enable DHCP relay and the DHCP relay server on the same interface.
• You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

Use Cases

Suppose you have an internal network with many Layer3 subnets. There is internal network segmentation using Layer2 VLANs and each Layer3 subnet might be connected to a different security zone on the ASA firewall.

Let’s say we have a Windows servers environment with Active Directory and a Windows DHCP server located in one network subnet. This DHCP server must allocate IP addresses dynamically to all hosts in the network, irrespective of which network segment each host is connected.

If you configure DHCP relay as shown above, then all hosts (DHCP clients) will be able to request IP addresses from the DHCP server and the ASA device will forward all these requests to the single server without having to install separate servers in each network segment.

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. azri says

    November 23, 2016 at 4:51 am

    I have same scenario almost like this, but it’s not working..need help.

  2. Harris Andrea says

    November 23, 2016 at 11:56 am

    Well, I can’t help without any information from you. What is the exact network you have? What devices?

  3. Finn says

    April 10, 2018 at 7:33 pm

    What if the DHCP server sits on the other end of a site-to-site VPN? Would you then set the dhcprelay on the inside interface?

  4. Harris Andrea says

    April 11, 2018 at 4:56 am

    Finn,

    To be honest I haven’t seen an actual scenario like the one you describe (DHCP server on the other end of VPN). My guess is to set the dhcprelay command to something like the following:

    ciscoasa(config)# dhcprelay server 192.168.2.2 outside
    ciscoasa(config)# dhcprelay enable inside

    (Assuming IP 192.168.2.2 belongs to the remote DHCP server).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

57 shares