IP Helper Address on the ASA

In a branch office environment, it is often desirable to backhaul DHCP requests to a centralized DHCP server. DHCP request are initially sent to a broadcast address and therefore do not typically get forwarded through a router or other layer 3 device. Many realize that it is possible to overcome this challenge by configuring a helper address on a router. However, fewer realize this can be done on the ASA firewall as well.

The ASA calls this “dhcprelay”. Assuming the centralized DHCP server is 10.2.2.2, the following compares “dhcprelay” configuration on the ASA to the “ip helper-address” configuration on an IOS device.

ASA DHCP Relay Configuration

//DHCP server is located outside at 10.2.2.2
//inside interface has dhcp clients
ASA(config)# dhcprelay server 10.2.2.2 outside
ASA(config)# dhcprelay enable inside

IOS Helper Address Configuration (Router Equivalent Example)

//Interface Fa0/0 dhcp clients
//DHCP server is at 10.2.2.2
interface FastEthernet0/0
 ip helper-address 10.2.2.2

As can be seen here, it is possible to centralize the DHCP configuration in a branch office environment. This is true with both IOS and ASA environments. The other thing that many don’t realize is that this will work through a VPN tunnel as well. All that is necessary is that the inside interface range and the dhcp server IP address be included in the crypto acl. This usually requires no special configuration.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

12 Responses to IP Helper Address on the ASA

  1. Clay says:

    The obvious question becomes: Should I forward my DHCP request to a server that is across the Internet, even if there is a VPN? With Windows AD, this is desirable because of the relatively tight integration with DNS. Barring that, I prefer not to risk letting my local LAN hosts run the risk of not having a DHCP server available when I need one and then having them end up with 169.254.x.y addresses.

    Yes, this problem can be addressed partially with very long lease durations, but with the ever increasing number of devices on LANs (iPhones, iPads, Androids, etc.), they’ll clutter up your pool in no time and you’ll run out of addresses.

    What do you think?

    • Personally I agree with your concern. I have never configured a helper address on an ASA in the field for any of my green field deployments. I have worked behind others that use them. I always prefer configure DHCP locally on the ASA (for ASA only branch offices). I guess there are some benefits to centralized DHCP management. However in practice, locally deployed DHCP makes the most sense to me when there is a VPN involved.

  2. matt says:

    Hi Paul-

    could i use the dhcp relay function to forward broadcasts? I want to use ip helper address, but i have an asa. Having some trouble figuring out what i need to do.

    if you have a second could you “switch” me in the right direction?

    Hi-

    I’m trying to get directed broadcasts to work(i think that is what i need to use) I have no idea. Does this sound like directed broadcasts would work in my situation?

    I am running ps3 media server on my ps3 in another subnet, i want to allow broadcasts in the ASA destined for my workstation that is behind the asa, once the workstation hears the broadcast then it can reply back to the PS3 and establish the connection.

    I attached a quick paint image that i made.

    Does this sound like something i can use, and if so how do i do this?

    • Clay says:

      Matt: As far as I know, you can’t do this. You can look at putting the ASA in transparent mode, but then you lose a lot of functionality and I’m not sure it’ll work in the first place.

      Why don’t you want to put your PS3 on the same LAN as your workstation? If you have more than 1 public IP address and can dedicate one to the PS3, then it shouldn’t be too hard to overcome any NAT issues that might pop up.

      • matt says:

        Hi Clay-

        Thanks for the info. Well, originally i had actiontec>asa> workstation and PS3 and Wireless AP. I was having trouble with my PS3 losing connection to PSN, with a DNS error. I tried using verizon dns servers, open dns, google dns, etc Same error. I port forwarded, uPnP, put it in DMZ off the actiontec etc, same thing. Once i moved the PS3 in front of the asa my problems went away. But, i also was running that over powerline adapters too, so i ran cat5 directly from the actiontec to my server room. I guess i changed a few things at once. šŸ™‚

        On top of that, i was running the playstation media server from a virtualbox VM off my 2nd NIC of my workstation, and it was skipping a lot, (the 2nd nic was in the same subnet as the actiontec and ps3, i just ran a cable to that), So i was going to try and run the media server off my workstation, (No VM), but that is behind my 10.1.1.x network behind the ASA.

        as you can see it gets pretty hairy and confusing. I’m thinking about either putting everything behind the actiontec, and taking the asa out of the equation, or putting all my stuff behind the asa, but, then i question how the ps3 will handle being double natted. Ideally, i’d like to keep the ASA in the mix, as it gives me peace of mind, plus i bought it for a reason, so i want to use it

        thoughts?

  3. matt says:

    trying to paste a tag to my photobucket album with a paint pic i made..

  4. Clay says:

    Well, I don’t have a PS3, so I can’t speak specifically to this, but I found an article that might help you. Check out this link.

    If you have more than one IP address from your ISP, just do a static directly to the PS3 and then allow the range of ports they mention. Otherwise, you’ll have to poke through a bunch of statics.

    Good luck, and please let us know if you try it and it works.

    • matt says:

      Okay. I don’t have a static ip from verizon…wish i did though. I’m thinking about moving all my stuff around again and seeing what double natting will do to my PS3.

      thanks for that link, although i dont play the games he mentioned, i do play battlefield 3, and i know they use like 5 or 6 different ports, so i will need to look those up again.

      thanks for your help

    • matt says:

      I just moved my ps3 behind my asa last night. PSN says Nat type 2, which is pretty good. ASA doesn’t support UPnP, so i am going to create some ACLs to forward tcp, udp ports to ps3. Playstation media server seems to work great now that the ps3 is in the same subnet as the workstation.

      thanks again

  5. Ianjf says:

    Don’t you mean the Outside Interface has to be included in the Crypto ACL also????

  6. sai says:

    really great information thanks a lot saved my time

Comments are closed.