ASA防火墙上配置DHCP中继
要求:R1作为DHCP server,在ASA防火墙上配置dhcp中继,使得client端动态获取地址
1、配置基本的IP地址,保证直连能通
R1(config)#int f0/0
R1(config-if)#ip add 12.1.1.1 255.255.255.0
R1(config-if)#no shut
ASA(config)#int g0
ASA(config-if)#nameif outside 将g0口命名为outside
INFO:Security level for "outside" set to 0 by default.
ASA(config-if)#security-level 100 将g0口的安全等级修改为100
ASA(config-if)#ip add 12.1.1.2 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#int g1
ASA(config-if)#nameif inside 将g1口命名为inside
INFO:Security level for "inside" set to 100 by default.
ASA(config-if)#ip add 10.1.1.1 255.255.255.0
ASA(config-if)#no shut
R2(config)#intf0/0
R2(config-if)#ip address dhcp R2动态获取地址
2、R1上配置DHCPserver
R1(config)#ip dhcp pool meng R1上配置DHCP server,将地址池命名为meng
R1(dhcp-config)#network10.1.1.0 /24 让R2在此地址段内获取地址
R1(dhcp-config)#default-router 10.1.1.1 默认网关指为防火墙与client相连的地址
R1(dhcp-config)#lease 1 租期为1天
R1(config)#ip dhcp excluded-address10.1.1.1 让R2从除网关地址之外的地址段中获取
3、ASA防火墙上配置Dhcprelay
ASA(config)#dhcprelay server12.1.1.1 outside 配置DHCPrelay server,server地址为防火墙与DHCPserver相连的地址,接口为防火墙上与DHCP server相连的接口
ASA(config)#dhcprelay enableinside 启用DHCPrelay,此接口与client相连的接口
此时,配置基本已完成,但由于R1没有到10.1.1.0/24网段的,R2还获取不到地址,所以要在R1上写一条静态
R1(config)#ip route 10.1.1.0 255.255.255.0 12.1.1.2
4、在R2上查看地址
R2# show ip int brife
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.2 YES DHCP 获取的地址为10.1.1.2 up up
5、可以用clear ip dhcp binding * 清除绑定的IP地址和mac地址
6、查看dhcpserver收到的信息
R1#sho ip dhcp server statistics
Memoryusage 15448
Addresspools 1
Databaseagents 0
Automaticbindings 1
Manualbindings 0
Expiredbindings 0
Malformedmessages 0
Securearp entries 0
Renewmessages 0
Workspacetimeouts 0
Static routes 0
Relaybindings 0
Relaybindings active 0
Relaybindings terminated 0
Relaybindings selecting 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 6 收到的discovery 报文数
DHCPREQUEST 2 收到的request报文数
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
Message Sent
BOOTREPLY 0
DHCPOFFER 6 返回的offer报文数
DHCPACK 2 返回的ack报文
DHCPNAK 0
Message Forwarded
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCP-DPMStatistics
Offernotifications sent 0
Offercallbacks received 0
Classnamerequests sent 0
Classnamecallbacks received 0
7、查看dhcpserver上IP地址与mac地址绑定
R1#sho ip dhcp binding
Bindingsfrom all pools not associated with VRF:
IPaddress Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
10.1.1.1 0063.6973.636f.2d63. Nov 22 2015 10:16 PM Automatic Active Unknown
6130.322e.3031.3530.
2e30.3030.302d.4661.
302f.30