Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
8
Helpful
20
Replies

DHCP relay with NAT, DHCP server sending DHCPOFFER to wrong IP

Go to solution
AK0
Level 1
Level 1

‎04-24-2024 08:03 AM - edited ‎04-24-2024 08:04 AM

I configured NAT and DHCP relay in GNS3, and all hosts have end-to-end reachability, I can ping PC44 from PC11 and PC22, and also from PC33 if I configure a static IP address.

On the NAT router (R11), I also configured DHCP relay with 'helper-address' on the LAN interface to which DHCP clients are connected. R11 is directly connected to R22. The DHCP server is on R22. There I configured a DHCP pool for hosts in network 192.168.33.0/24 (LAN connected to R11).

But because I am using NAT (PAT), all traffic from 192.168.33.0/24 is translated into an Inside Global address (200.1.1.1) on R22. The NAT is working. But the DHCP client connected to R11 can't get an IP address from DHCP server R22.

Debug (debug ip dhcp server packet) on R22 shows that DHCPDISCOVER messages are arriving. And DHCPOFFER are being sent.

Debug (debug ip packet detail) on R22 show that packets with source IP of the Inside Global address are arriving on R22, however it also shows that the DHCP server (R22) is sending back a reply to the destination of the leased IP address (for example 192.168.33.102), and not to the public address aka the Inside Global IP.... Is this normal behavior? Or am I missing a configuration setting on R22?

Edit: I added a screenshot of the network topology.

Labels:
Preview file
62 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to AK0

‎04-26-2024 03:15 AM

Using the ip dhcp relay source-interface 
under the interface and you can see Now the R3( local DHCP server) send traffic to 100.0.0.2 instead of using 10.0.0.2

that solution for this case if you face it in feature 

MHM

Screenshot (362).png

Screenshot (363).png

View solution in original post

20 Replies 20

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-24-2024 08:22 AM

You need to post the debug logs and configuration of the SW11. R11, R22 configuraiton to verify.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
AK0
Level 1
Level 1
In response to balaji.bandi

‎04-24-2024 08:55 AM - edited ‎04-24-2024 09:05 AM

I'm including the config of R11 and R22.

SW11 is not the problem though, because the PCs on the left can ping PC44 on the right, so there is end-to-end connectivity, and R11 is a DHCP server for VLAN22, which is working.

Edit: added code tags for IOS configs.

R11 config:

R11#sh run
Building configuration...

Current configuration : 2436 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R11
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.22.1 192.168.22.99
!
ip dhcp pool VLAN22
network 192.168.22.0 255.255.255.0
default-router 192.168.22.1
lease 0 1
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.2
encapsulation dot1Q 22
ip address 192.168.22.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.3
encapsulation dot1Q 33
ip address 192.168.33.1 255.255.255.0
ip helper-address 200.1.1.2
ip nat inside
ip virtual-reassembly
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 200.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip forward-protocol nd
ip route 192.168.2.0 255.255.255.0 200.1.1.2
!
!
no ip http server
no ip http secure-server
ip nat pool INSIDEGLOBAL-VLAN1 200.1.1.100 200.1.1.105 netmask 255.255.255.0
ip nat inside source list VLAN1 pool INSIDEGLOBAL-VLAN1
ip nat inside source list VLAN22 interface FastEthernet0/1 overload
ip nat inside source list VLAN33 interface FastEthernet0/1 overload
!
ip access-list standard VLAN1
permit 192.168.1.0 0.0.0.255
ip access-list standard VLAN22
permit 192.168.22.0 0.0.0.255
ip access-list standard VLAN33
permit 192.168.33.0 0.0.0.255
!

R22 config:

R22#sh run
Building configuration...

Current configuration : 1426 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R22
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.33.1 192.168.33.99
!
ip dhcp pool VLAN33
network 192.168.33.0 255.255.255.0
default-router 192.168.33.1
lease 0 1
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 200.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!

 

0 Helpful

Go to solution
AK0
Level 1
Level 1
In response to balaji.bandi

‎04-24-2024 09:19 AM

The configs that I just posted were apparently not approved? Are you allowed to post configs here?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-24-2024 08:34 AM

In end are the host get IP from dhcp server ?

It dont matter if the IP of dhcp request is NAT or not' inside the dhcp request there is option that list the real IP not map IP' and hence the dhcp server (local dhcp) can use it to assign IP from correct pool

MHM

Go to solution
mwaltner12
Level 1
Level 1

‎04-24-2024 09:03 AM

I was able to get this working by using an extended acl for NAT. First it denys udp traffic for destination port 67 (If it is dest. port 67 the address will not be translated), this allows the device to get an IP. At the end of the acl I permit all other traffic so if pc wants to go to internet then address will get translated like normal.

0 Helpful

Go to solution
AK0
Level 1
Level 1
In response to mwaltner12

‎04-24-2024 09:32 AM

So you're not doing NAT for DHCP requests? As you can see in the network topology in my post above, I use RFC1918 addresses on the left, so they should be translated. R22 should be seen as an ISP router, the fact that I use 192.168.2.0/24 on the right can be ignored, but I might change that.

0 Helpful

Go to solution
mwaltner12
Level 1
Level 1
In response to AK0

‎04-24-2024 09:35 AM

Sorry, I missed that that was an ISP, I thought it was a different site or something, then my solution won't work.

Go to solution
MHM Cisco World
VIP
VIP
In response to AK0

‎04-24-2024 09:36 AM

you not answer me are the host get IP?
if the server is in HQ miles from host that meaning that host can not get IP?

as I mention the DHCP header is effect by NAT but inside the dhcp not effect by NAT 

MHM

Go to solution
AK0
Level 1
Level 1
In response to MHM Cisco World

‎04-24-2024 09:54 AM - edited ‎04-24-2024 10:03 AM

PC33 cannot get an IP from R22. But I think it's working now finally.... it was an issue with SW11. Apparently the VLANs did not exist on the switch. After adding the VLANs, the interfaces show up as being part of those VLANs.... which is strange because I did configure them, but after starting GNS3 again, they disappeared..

Thanks for the suggestions.

Nope still not. It worked suddenly because of another reason. Still not working.

Go to solution
MHM Cisco World
VIP
VIP
In response to AK0

‎04-24-2024 09:57 AM

You  are so so welcome 

Have  a nice day 

MHM

0 Helpful

Go to solution
AK0
Level 1
Level 1

‎04-24-2024 10:13 AM

False alarm, it worked suddenly because I reloaded the routers without saving configuration. So R22 had routes to the networks on the left:

ip route 192.168.33.0 255.255.255.0 200.1.1.1

which should not happen, because those networks are private, internal to the enterprise on the left in the network topology. So an "ISP" router should not have those routes.

Here is a debug (debug ip dhcp server packet) on R22 when PC33 is sending DHCPDISCOVER, and R11 relaying it:

R22#
*Mar 1 00:17:09.443: DHCPD: DHCPDISCOVER received from client 0100.5079.6668.05 through relay 192.168.33.1.
*Mar 1 00:17:09.447: DHCPD: Sending DHCPOFFER to client 0100.5079.6668.05 (192.168.33.101).
*Mar 1 00:17:09.447: DHCPD: unicasting BOOTREPLY for client 0050.7966.6805 to relay 192.168.33.1.
*Mar 1 00:17:10.433: DHCPD: DHCPDISCOVER received from client 0100.5079.6668.05 through relay 192.168.33.1.
*Mar 1 00:17:10.437: DHCPD: Sending DHCPOFFER to client 0100.5079.6668.05 (192.168.33.101).
*Mar 1 00:17:10.441: DHCPD: unicasting BOOTREPLY for client 0050.7966.6805 to relay 192.168.33.1.
R22#
*Mar 1 00:17:13.430: DHCPD: DHCPDISCOVER received from client 0100.5079.6668.05 through relay 192.168.33.1.
*Mar 1 00:17:13.430: DHCPD: Sending DHCPOFFER to client 0100.5079.6668.05 (192.168.33.101).
*Mar 1 00:17:13.434: DHCPD: unicasting BOOTREPLY for client 0050.7966.6805 to relay 192.168.33.1.

And here's a debug on R22 of debug ip packet:

*Mar  1 00:22:18.426: IP: tableid=0, s=200.1.1.1 (FastEthernet0/1), d=200.1.1.2 (FastEthernet0/1), routed via RIB
*Mar  1 00:22:18.426: IP: s=200.1.1.1 (FastEthernet0/1), d=200.1.1.2 (FastEthernet0/1), len 392, rcvd 3
*Mar  1 00:22:18.438: IP: s=199.1.2.1 (local), d=192.168.33.1, len 328, unroutable
*Mar  1 00:22:19.423: IP: tableid=0, s=200.1.1.1 (FastEthernet0/1), d=200.1.1.2 (FastEthernet0/1), routed via RIB
*Mar  1 00:22:19.427: IP: s=200.1.1.1 (FastEthernet0/1), d=200.1.1.2 (FastEthernet0/1), len 392, rcvd 3
*Mar  1 00:22:19.435: IP: s=199.1.2.1 (local), d=192.168.33.1, len 328, unroutable

 Note: i changed the network on the right from 192.168.2.0/24 to 199.1.2.0/24 to make it resemble more like some internet network, so 199.1.2.1 is R22's f0/0 interface.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to AK0

‎04-24-2024 10:19 AM

Don't worry'

Now share the IP that receive dhcp request from host (IP.of interface config with ip dhcp helper)

And dhcp.pool config

MHM

0 Helpful

Go to solution
AK0
Level 1
Level 1
In response to MHM Cisco World

‎04-24-2024 10:28 AM

DHCP relay configured on R11:

R11#sh run int f0/0.3
Building configuration...

Current configuration : 165 bytes
!
interface FastEthernet0/0.3
 encapsulation dot1Q 33
 ip address 192.168.33.1 255.255.255.0
 ip helper-address 200.1.1.2
 ip nat inside
 ip virtual-reassembly
end

The DHCP pool for VLAN33 on the left (192.168.33.0/24), configured on R22:

ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp pool VLAN33
   network 192.168.33.0 255.255.255.0
   default-router 192.168.33.1 
   lease 0 1

 And the interfaces on R22:

interface FastEthernet0/0
 ip address 199.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 200.1.1.2 255.255.255.0
 duplex auto
 speed auto
!

 It seems that R22 is sending DHCPOFFER message to the destination IP of 192.168.33.X, which is strange because I configured NAT on R11, and the packets are coming in on R22 as can bee seen with debug ip packet with source IP 200.1.1.1.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to AK0

‎04-24-2024 10:41 AM

ip dhcp-relay source-interface < 200.1.1.1 interface>

Then check debug again 

MHM

Customers Also Viewed These Support Documents