RE: Cisco PIX DHCP relay via IPSEC

["Scot Kreienkamp" <Scot () pc-sos net>]

As I said, I do not control everything at the remote end.  There is a
piece of hardware at the remote end that needs bootp/tftp and dhcp from
a specific server at the head end, and there's nothing I can do to
change that.  If it weren't for that I would just do dhcp from the PIX.
The only other alternative is a leased line with routers that are
configured with the dhcp helper option.  Rather costly for a medium
sized business to get a leased line from Michigan to Florida.

> From what I've heard so far from the list it should work.  I've gone
ahead and submitted my idea, if I get to try it I'll send a follow-up to
the list.  Thanks for all your comments!

Scot Kreienkamp
Scot () PC-SOS net
Phone: 419-872-2500
Fax: 419-831-8500
 


-----Original Message-----
From: Perrymon, Josh L. [mailto:PerrymonJ () bek com] 
Sent: Wednesday, October 29, 2003 5:23 PM
To: 'mailinglists () wjnconsulting com'; Scot W. Kreienkamp;
firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC


Not sure why you don't do DHCP from the remote end unless you don't
control it... It will be hard to get DHCP over the IPSEC unless you use
GRE tunnels to forward broadcasts..

So basically, the DHCP broadcast needs to get tunneled over IPSEC with
GRE to the main site.

But, I would try to do it on the remote end. I have lots of pixes doing
it and it works great... With a small exception of leases not releasing
sometimes so I like to change that value.


-JP

-----Original Message-----
From: Wes Noonan [mailto:mailinglists () wjnconsulting com]
Sent: Wednesday, October 22, 2003 11:15 AM
To: 'Scot Kreienkamp'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC


I don't believe that the PIX can pass DHCP/bootp, but don't hold me to
that (never tried it). The remote PIX could be configured to be a DHCP
server that you can manage however, and TFTP would easily pass through
the VPN tunnel so that might be another option to address your needs.

HTH and good luck.

Wes

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards- admin () honor icsalabs com] On Behalf Of Scot 
> Kreienkamp
> Sent: Wednesday, October 22, 2003 09:59
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Cisco PIX DHCP relay via IPSEC
>
> Hi all,
>
> I'm looking at using two PIX's to do site to site IPSEC via the 
> internet.  Because I don't control all the devices at the remote end 
> one of my requirements is that I be able to do DHCP/Bootp and TFTP 
> from the remote end to the head end via the IPSEC VPN. Does anyone 
> know if the PIX will be able to do this?
>
> If anyone has a better product in mind that can accomplish this please

> let me know, I'm not stuck on the PIX but I do need a workable 
> solution within the next few days.  Please don't say linux, I've 
> already been turned down there.  :)
>
> Thanks!
>
> Scot Kreienkamp
> Scot () PC-SOS net
>
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards