002. DEPLOYING DHCP SERVICES ON THE ASA
Client devices that are connected to a network need to use unique IP addresses so that they can communicate. Although a client can be configured with a static IP address, most often it relies on a DHCP server to provide an IP address that can be “checked out” or leased for a period of time.
When a network architecture includes an ASA, either the clients have no local DHCP server or the clients can become separated or isolated from a working DHCP server. You can configure an ASA to assist the clients in either of these cases, as described in the sections that follow.
THE ASA AS A DHCP RELAY
There are times, and most of the times the DHCP server is not in the same network as the DHCP Clients. In such a case we will need the default gateway to relay the DHCP requests from the client to the DHCP server.
When a client needs an IP address for itself, it sends a DHCP request, hoping that a DHCP server can hear the request and answer. DHCP requests are normally sent as broadcasts, because the DHCP server address is not known ahead of time. Therefore, a DHCP server must be located within the same broadcast domain as a client. When an ASA is introduced into a network, it might also introduce a new security domain boundary that separates clients from a DHCP server.
For example, a group of clients might be connected to one ASA interface, and the DHCP server might be connected to a different interface. By default, an ASA will not forward DHCP requests from one of its interfaces to another. You can configure an ASA to use the DHCP relay agent feature to relay DHCP requests (broadcasts) received on one interface to a DHCP server found on another interface.
The ASA does this by converting the requests to UDP port 67 unicast packets. The ASA can also intercept the DHCP replies that are returned by the DHCP server so that the default router address can be changed to become the IP address of the ASA itself.
In this demonstration we are going to use Windows Server 2012 DHCP services. SO that is to say that Widows server 2012 will act as a DHCP server in this demo then the Cisco ASA firewall will be configured to relay the DHCP messages between the DHCP client and the DHCP Server.
WINDOWS SERVER AS THE DHCP SERVER
As you can see from the figure above there are four DHCP Pools configured in this Windows 2012 server.
CONFIGURING DHCP RELAY SERVICE ON THE ASA
TESTING THE DHCP SERVICE
Now it is time to test if the DHCP Service if it is working correctly as expected. In this demo we have four PCs, PC1 in the ICT network, PC2 in the HR network, PC3 in FINANCE network and PC4 in the PROCUREMENT network as shown below
As you can see from the figure above, PC1 has received an IP address from the DHCP server in the DMZ and it has received the correct address (10.0.10.50) from the correct address pool (10.0.10.50 – 10.0.10.250).
As you can see from the figure above, PC2 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.20.50) from the correct address pool (10.0.20.50 – 10.0.20.250).
As you can see from the figure above, PC3 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.30.50) from the correct address pool (10.0.30.50 – 10.0.30.250).
As you can see from the figure above, PC4 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.40.50) from the correct address pool (10.0.40.50 – 10.0.40.250).
VERIFICATION ON THE DHCP SERVER
We can now verify that the Windows DHCP server has leased those IP addresses from each DHCP Pool.