The ASA 5500 and 5500-X series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface.
Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well.
With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server as shown on the high-level diagram below:
As you can see from above, the client broadcasts a discover request in order to find a DHCP server. The ASA forwards (relays) the request to another interface towards the server. After that, the client sends a request for IP address which is again relayed by the ASA to the DHCP server.
The diagram below illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server.
The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.
Configuration
The following configuration works on both the older 5500 series and also the newest 5500-x series (version 9.x).
!First identify the DHCP server and the interface it is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90
!Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside
!Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside
Usage Guidelines
You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.
You cannot enable DHCP relay under the following conditions:
• You cannot enable DHCP relay and the DHCP relay server on the same interface.
• You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.
Use Cases
Suppose you have an internal network with many Layer3 subnets. There is internal network segmentation using Layer2 VLANs and each Layer3 subnet might be connected to a different security zone on the ASA firewall.
Let’s say we have a Windows servers environment with Active Directory and a Windows DHCP server located in one network subnet. This DHCP server must allocate IP addresses dynamically to all hosts in the network, irrespective of which network segment each host is connected.
If you configure DHCP relay as shown above, then all hosts (DHCP clients) will be able to request IP addresses from the DHCP server and the ASA device will forward all these requests to the single server without having to install separate servers in each network segment.
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)