Hi,
You could do this by configuring DLSW and Ethernet bridge groups...:
DHCP Server-----e0-R1-e1 ------------- PIX ------ IPSec ------ PIX ------
e1-R2-e0-----DHCP clients
In the "diagram" above, the DHCP server needs to assign IP addresses to the
DHCP clients, WITHOUT the use of DHCP relay or GRE tunnels. If you made e0
on R1 and R3 bridged interfaces, you could configure a DLSW connection
between R1 and R2 that linked the two LANs. The PIX could then protect the
DLSW traffic. If you needed to route for the DHCP Server/DHCP client
subnets, you could configure a BVI locally on each router and ensure local
devices use the local BVI as the
default gateway.
Not very real-world, but is a possible solution.
Regards,
Justin
-----Original Message-----
From: Zealous [mailto:rsevier@xxxxxxxxxxxxxx]
Sent: Sunday, December 01, 2002 5:45 AM
To: security@xxxxxxxxxxxxxx
Subject: RE: CCIE Security
Has anyone ever tried to push DHCP through a PIX to PIX VPN? I can't seem
to figure out how to get the DHCP traffic to be unicast to pass through the
IPsec tunnel. I have a hub and spoke topolgy. On the remote sites, I don't
have the choice of implementing DHCP relay (as the helper address would
provide). The only solution that I have been able to come up with is to
place a router behind the PIX at the remote site and use a GRE tunnel. Any
other suggestions.
Thx,
Raymond
