Configure DHCP-relay on Cisco ASA-优快云博客

本文介绍Cisco ASA防火墙如何配置DHCP中继功能，包括详细的配置步骤、调试输出及DHCP服务器配置。通过GNS3搭建实验环境，演示了内部客户端如何通过ASA与外部DHCP服务器通信。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

The Cisco ASA support dhcp-relay function. The below lab is demonstrated on GNS3, ASA version is ASAv961

2.Topology:

Configure DHCP-relay on Cisco ASA
3.Configuration on ASA:
!
interface GigabitEthernet0/0
nameif dmz
security-level 95
ip address 198.51.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 192.0.2.1 255.255.255.0
dhcprelay server 198.51.100.2
!
dhcprelay server 198.51.100.2 dmz
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
!
Configuration on DHCP Server:

!
interface Ethernet0/0
ip address 198.51.100.2 255.255.255.0
!
ip route 192.0.2.0 255.255.255.0 198.51.100.1

!
ip dhcp excluded-address 192.0.2.1 192.0.2.2
ip dhcp excluded-address 192.0.2.10 192.0.2.254
!
ip dhcp pool POOL1
import all
network 192.0.2.0 255.255.255.0
dns-server 192.0.2.10 192.0.2.11
domain-name cisco.com
default-router 198.51.100.2
!

4.Debugging
on DHCP server: # debug ip dhcp server packet

show ip dhcp binding

                                                     # clear ip dhcp binding *
                                                     # show ip dhcp server statics

on ASA relay-agent: # debug dhcprelay event

debug dhcprelay packet

Output
ASA
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside interface
DHCP: Received a BOOTREQUEST from interface 4 (size = 364)
DHCPD/RA: Binding successfully added to hash table
DHCPRA: relay binding created for client 0050.7966.6801.
DHCPRA: setting giaddr to 192.0.2.1.
dhcpd_forward_request: request from 0050.7966.6801 forwarded to 198.51.100.2.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCP: Received a BOOTREPLY from relay interface 3 (size = 301, xid = 0xd48a2408) at 01:41:39 UTC Sun Jul 15 2018
DHCPRA: relay binding found for client 0050.7966.6801.
DHCPD/RA: creating ARP entry (192.0.2.3, 0050.7966.6801).
DHCPRA: Adding rule to allow client to respond using offered address 192.0.2.3
DHCPRA: forwarding reply to client 0050.7966.6801.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside interface
DHCP: Received a BOOTREQUEST from interface 4 (size = 364)
DHCPRA: relay binding found for client 0050.7966.6801.
DHCPRA: Server requested by client 198.51.100.2
DHCPRA: setting giaddr to 192.0.2.1.
DHCPRA: Server request counter 1
dhcpd_forward_request: request from 0050.7966.6801 forwarded to 198.51.100.2.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCP: Received a BOOTREPLY from relay interface 3 (size = 301, xid = 0xd48a2408) at 01:41:40 UTC Sun Jul 15 2018
DHCPRA: relay binding found for client 0050.7966.6801.
DHCPRA: exchange complete - relay binding deleted for client 0050.7966.6801.
DHCPD/RA: Binding successfully deactivated
DHCPRA: returned relay binding 192.0.2.1/0050.7966.6801 to address pool.
dhcpd_destroy_binding() removing NP rule for client 192.0.2.1
DHCPD/RA: free ddns info and binding
DHCPD/RA: creating ARP entry (192.0.2.3, 0050.7966.6801).
DHCPRA: forwarding reply to client 0050.7966.6801.

DHCP SERVER debugging output:
DHCPserver#
Jul 15 01:41:45.067: DHCPD: client's ××× is .
Jul 15 01:41:45.067: DHCPD: No option 125
Jul 15 01:41:45.067: DHCPD: DHCPDISCOVER received from client 0100.5079.6668.01 through relay 192.0.2.1.
Jul 15 01:41:45.067: DHCPD: Sending DHCPOFFER to client 0100.5079.6668.01 (192.0.2.3).
Jul 15 01:41:45.067: DHCPD: no option 125
Jul 15 01:41:45.067: DHCPD: unicasting BOOTREPLY for client 0050.7966.6801 to relay 192.0.2.1.
Jul 15 01:41:46.061: DHCPD: client's ××× is .
Jul 15 01:41:46.061: DHCPD: No option 125
Jul 15 01:41:46.061: DHCPD: DHCPREQUEST received from client 0100.5079.6668.01.
Jul 15 01:41:46.061: DHCPD: Appending default domain from pool
Jul 15 01:41:46.061: DHCPD: Using hostname 'PC-21.cisco.com.' for dynamic update (from hostname option)
Jul 15 01:41:46.061: DHCPD: Sending DHCPACK to client 0100.5079.6668.01 (192.0.2.3).DHCPD: Setting only requested parameters

Jul 15 01:41:46.061: DHCPD: no option 125
Jul 15 01:41:46.061: DHCPD: unicasting BOOTREPLY for client 0050.7966.6801 to relay 192.0.2.1.
DHCPserver#

Reference and Further reading:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

转载于:https://blog.51cto.com/blade20/2142636