Networxpedia

        Ø  DHCP request are normally sent as broadcasts. Therefore, a DHCP server must be located within the same broadcast domain as a client.

        Ø  When a group of clients might be connected to one ASA interface, and the DHCP server might be connected to a different interface. Both interface have different security level.

        Ø  So by default, an ASA will not forward DHCP requests from one of its interface to another.

        Ø  So we configure an ASA to use as DHCP relay agent to relay DHCP requests (broadcast) received on one interface to a DHCP server found on another interface.

        

        Ø  The ASA does this by converting the requests to “UDP port 67 unicast” packets.

        Ø  And also intercept the DHCP replies that are returned by the DHCP server.

        Ø  So the default router address can be changed to become the IP address of the ASA itself.

        Ø  To enable DHCP relay agent command:

             Ciscoasa(config)# dhcprelay server <ip-address> <nameif>

         Ø  If we have more than one DHCP server, you can repeat this command to define up to 4 different servers.

         Ø  In this case DHCP requests are relayed to each of the servers simultaneously.

         Ø  Next, use the command to enable the DHCP relay agent on the ASA interface that faces the clients:

              Ciscoasa(config)# dhcprelay enable <interface>

         Ø  The DHCP replies or offer that are returned by a server contain a default router address that clients can use as their default gateway.

         Ø  By default, an ASA will pass the default router information back to the client unchanged.

         Ø  This might work fine if the default router address is the same as the ASA interface closest to the client.

         Ø  No provisions are available for config static address assignments.

         Ø  Enable the DHCP server on an ASA interface that faces the clients:

                                          Ciscoasa(config)# dhcpd enable <nameif>

         Ø  Create an address pool for clients on an interface:

                                  Ciscoasa(config)# dhcpd address ip1 [ -ip2 ] <nameif>

         Ø  Configure DHCP options for clients:

  You can use the dhcp option command to define any specific DHCP options that clients need to receive.   We can also configure an option code number with an ASCII string, an IP address, or a hex string:

Ciscoasa(config)# dhcpd option <code> { ascii string | ip ip_address | hex hex_string }

Example: we want to hand out DHCP option 66 (TFTP server) or DHCP option 150 (multiple TFTP servers ) to cisco IP Phone clients.

By default, an ASA hands out its own interface address as the client’s default gateway, but we can override that value by configure an IP address with DHCP option 3 (default router).

          Ø  Configure any global DHCP parameters:

Some parameters are global in nature and can be handed out in all DHCP replies. We can define the DNS and WINS server and default domain name with commands:

Ciscoasa(config)# dhcpd dns dns1  [ dns2]

Ciscoasa(config)# dhscpd wins  wins1 [ wins2 ]

Ciscoasa(config)# dhspd  domain  domain-name

          Ø  By default, each DHCP lease is sent with a lease time of 3600 seconds, but we can override:

                                   Ciscoasa(config)# dhcpd lease <lease_length>

          Ø  When an ASA receives a DHCP request from a potential client, it looks up the next available IP address in the pool.

          Ø  Before a DHCP reply is returned, the ASA sends an ICMP echo as a test to make sure that the IP address is not already in use by some other host.

          Ø  By default, the ASA waits 750 ms for an ICMP reply; if no reply is received, it assumes that the IP address is indeed available and assign it to the client .

          Ø  If an reply is received then firewall knows that the address is already in use, so next address from the pool is tried.

          Ø  We can override the ping test timer by issuing the following command with a timeout (100 to 10000 ) in milliseconds.

                               Ciscoasa(config)# dhcpd ping_timeout <timeout>