CLI Book 1: Cisco Secure Firewall ASA General Operations CLI Configuration Guide, 9.20

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• About This Guide
• Getting Started with the ASA
  • Introduction to the Secure Firewall ASA
  • Getting Started
  • Licenses: Product Authorization Key Licensing for the ISA 3000
  • Licenses: Smart Software Licensing
  • Logical Devices for the Firepower 4100/9300
  • Transparent or Routed Firewall Mode
  • Multiple Context Mode
  • Failover for High Availability
  • Failover for High Availability in the Public Cloud
  • ASA Cluster for the Secure Firewall 3100/4200
  • ASA Cluster for the Firepower 4100/9300
  • ASA Cluster for the ASA Virtual for the Private Cloud
  • ASA Cluster for the ASA Virtual in a Public Cloud
  • Basic Interface Configuration
  • Basic Interface Configuration for Firepower 1010 Switch Ports
  • EtherChannel Interfaces
  • Loopback Interfaces
  • VLAN Subinterfaces
  • VXLAN Interfaces
  • Routed and Transparent Mode Interfaces
  • Advanced Interface Configuration
  • Traffic Zones
  • Basic Settings
  • DHCP and DDNS Services
  • Digital Certificates
  • ARP Inspection and the MAC Address Table
  • Routing Overview
  • Static and Default Routes
  • Policy Based Routing
  • Route Maps
  • Bidirectional Forwarding Detection Routing
  • BGP
  • OSPF
  • IS-IS
  • EIGRP
  • Multicast Routing
  • AAA and the Local Database
  • RADIUS Servers for AAA
  • TACACS+ Servers for AAA
  • LDAP Servers for AAA
  • Kerberos Servers for AAA
  • RSA SecurID Servers for AAA
  • Management Access
  • Software and Configurations
  • Response Automation for System Events
  • Testing and Troubleshooting
  • Logging
  • SNMP
  • Cisco Success Network and Telemetry Data
  • Alarms for the Cisco ISA 3000
  • Anonymous Reporting and Smart Call Home
  • Using the Command-Line Interface
  • Addresses, Protocols, and Ports
  Find Matches in This Book Log in to Save Content Available Languages Download Options

  Book Title

  CLI Book 1: Cisco Secure Firewall ASA General Operations CLI Configuration Guide, 9.20

  DHCP and DDNS Services

  • PDF - Complete Book (36.09 MB)PDF - This Chapter (1.54 MB) View with Adobe Reader on a variety of devices

  Results

  Updated: August 5, 2024

  Chapter: DHCP and DDNS Services

  Chapter Contents
  • DHCP and DDNS Services
  • About DHCP and DDNS Services
    • About the DHCPv4 Server
      • DHCP Options
      • DHCP Relay Server Support on VTI
      • Enable the DHCPv4 Server
      • Configure Advanced DHCPv4 Options
      • Configure the DHCPv6 Stateless Server
      • Configure the DHCPv4 Relay Agent
      • Configure the DHCPv6 Relay Agent
      • Monitoring DHCP Services
        • Troubleshooting DHCP Relay over VTI

        DHCP and DDNS Services

        This chapter describes how to configure the DHCP server or DHCP relay as well as dynamic DNS (DDNS) update methods.

        About DHCP and DDNS Services

        The following topics describe the DHCP server, DHCP relay agent, and DDNS update.

        About the DHCPv4 Server

        DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.

        An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68; the DHCP server listens for messages on UDP port 67.

        DHCP Options

        DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. The configuration parameters are carried in tagged items that are stored in the Options field of the DHCP message and the data are also called options. Vendor information is also stored in Options, and all of the vendor information extensions can be used as DHCP options.

        For example, Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.

        • DHCP option 150 provides the IP addresses of a list of TFTP servers.
        • DHCP option 66 gives the IP address or the hostname of a single TFTP server.
        • DHCP option 3 sets the default route.

        A single request might include both options 150 and 66. In this case, the ASA DHCP server provides values for both options in the response if they are already configured on the ASA.

        You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients; DHCP option 15 is used for the DNS domain suffix. You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:

        1. Manually configured settings.
        2. Advanced DHCP options settings.
        3. DHCP automatic configuration settings.

        For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.

        About the DHCPv6 Stateless Server

        For clients that use StateLess Address Auto Configuration (SLAAC) in conjunction with the Prefix Delegation feature (Enable the IPv6 Prefix Delegation Client), you can configure the ASA to provide information such as the DNS server or domain name when they send Information Request (IR) packets to the ASA . The ASA only accepts IR packets and does not assign addresses to the clients. You will configure the client to generate its own IPv6 address by enabling IPv6 autoconfiguration on the client. Enabling stateless autoconfiguration on a client configures IPv6 addresses based on prefixes received in Router Advertisement messages; in other words, based on the prefix that the ASA received using Prefix Delegation.

        About the DHCP Relay Agent

        You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the ASA because it does not forward broadcast traffic. The DHCP relay agent lets you configure the interface of the ASA that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.

        DHCP Relay Server Support on VTI

        You can configure DHCP relay agent on an ASA interface to receive and forward DHCP messages between a DHCP client and a DHCP server. However, a DHCP relay server to forward messages through a logical interface was not supported.

        

        Following figure shows the DISCOVER process of the DHCP Client and DHCP Server using DHCP relay over VTI VPN. The DHCP relay agent, configured on VTI interface of ASA Site 1, receives DHCPDISCOVER packet from the DHCP Client and sends the packet through the VTI tunnel. ASA Site 2 forwards the DHCPDISCOVER packet to the DHCP Server. The DHCP Server replies with a DHCPOFFER to ASA Site 2. ASA Site 2 forwards it to DHCP relay (ASA Site1), which forwards it to the DHCP Client.

        The same procedure is followed for a DHCPREQUEST and DHCPACK/NACK requirements.

        Guidelines for DHCP and DDNS Services

        This section includes guidelines and limitations that you should check before configuring DHCP and DDNS services.

        Context Mode

        • DHCPv6 stateless server is not supported in multiple context mode.

        Firewall Mode

        • DHCP Relay is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface .
        • DHCP Server is supported in transparent firewall mode on a bridge group member interface. In routed mode, the DHCP server is supported on the BVI interface, not the bridge group member interface. The BVI must have a name for the DHCP server to operate.
        • DDNS is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface .
        • DHCPv6 stateless server is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface .

        Clustering

        • DHCPv6 stateless server is not supported with clustering.

        IPv6

        Supports IPv6 for DHCP stateless server and DHCP Relay.

        DHCPv4 Server

        • The maximum available DHCP pool is 256 addresses.
        • You can configure only one DHCP server on each interface. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
        • You cannot configure an interface as a DHCP client if that interface also has DHCP server enabled; you must use a static IP address.
        • You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.
        • You can reserve a DHCP address for an interface. The ASA assigns a specific address from the address pool to a DHCP client based on the client's MAC address.
        • The ASA does not support QIP DHCP servers for use with the DHCP proxy service.
        • The DHCP server does not support BOOTP requests.

        DHCPv6 Server

        The DHCPv6 Stateless server cannot be configured on an interface where the DHCPv6 address, Prefix Delegation client, or DHCPv6 relay is configured.

        DHCP Relay

        • You can configure a maximum of 10 DHCPv4 relay servers, with a maximum of 4 servers per interface.
        • You can configure a maximum of 10 DHCPv6 relay servers. Interface-specific servers for IPv6 are not supported.
        • You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.
        • DHCP relay services are not available in transparent firewall mode or in routed mode on the BVI or bridge group member interface . You can, however, allow DHCP traffic through using an access rule. To allow DHCP requests and replies through the ASA , you need to configure two access rules, one that allows DCHP requests from the inside interface to the outside (UDP destination port 67), and one that allows the replies from the server in the other direction (UDP destination port 68).
        • For IPv4, clients must be directly-connected to the ASA and cannot send requests through another relay agent or a router. For IPv6, the ASA supports packets from another relay server.
        • The DHCP clients must be on different interfaces from the DHCP servers to which the ASA relays requests.
        • You cannot enable DHCP Relay on an interface in a traffic zone.

        Configure the DHCP Server

        This section describes how to configure a DHCP server provided by the ASA.

        Procedure

        Enable the DHCPv4 Server

        To enable the DHCP server on an ASA interface, perform the following steps:

        Procedure

        Create a DHCP address pool for an interface. The ASA assigns a client one of the addresses from this pool to use for a given period of time. These addresses are the local, untranslated addresses for the directly connected network.

        dhcpd address ip_address_start-ip_address_end if_name

        Example:

         ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside 

        The address pool must be on the same subnet as the ASA interface. In transparent mode, specify a bridge group member interface. In routed mode, specify a routed interface or a BVI; do not specify the bridge group member interface.

        (Optional) (Routed mode) Automatically configure DNS, WINS, and domain name values obtained from an interface running a DHCP or PPPoE client, or from a VPN server.

        dhcpd auto_config client_if_name [[ vpnclient-wins-override ] interface if_name ]

        Example:

         ciscoasa(config)# dhcpd auto_config outside interface inside 

        If you specify DNS, WINS, or domain name parameters using the following commands, then they overwrite the parameters obtained by automatic configuration.

        (Optional) Reserve a DHCP address for a client. The ASA assigns a specific address from the configured address pool to a DHCP client based on the client's MAC address.

        dhcpd reserve-address ip_address mac_address if_name

        Example:

         ciscoasa(config)# dhcpd reserve-address 10.0.1.109 030c.f142.4cde inside 

        The reserved address must come from the configured address pool, and the address pool must be on the same subnet as the ASA interface. In transparent mode, specify a bridge group member interface. In routed mode, specify a routed interface or a BVI; do not specify the bridge group member interface.

        (Optional) Specify the IP address(es) of the DNS server(s).

        dhcpd dns dns1 [ dns2 ]

        Example:

         ciscoasa(config)# dhcpd dns 209.165.201.2 209.165.202.129 

        (Optional) Specify the IP address(es) of the WINS server(s). You may specify up to two WINS servers.

        dhcpd wins wins1 [ wins2 ]

        Example:

         ciscoasa(config)# dhcpd wins 209.165.201.5 

        (Optional) Change the lease length to be granted to the client. The lease length equals the amount of time in seconds that the client can use its allocated IP address before the lease expires. Enter a value from 0 to 1,048,575. The default value is 3600 seconds.

        dhcpd lease lease_length

        Example:

         ciscoasa(config)# dhcpd lease 3000 

        (Optional) Configure the domain name.

        dhcpd domain domain_name

        Example:

         ciscoasa(config)# dhcpd domain example.com 

        (Optional) Configure the DHCP ping timeout value for ICMP packets. To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client. The default is 50 milliseconds.

        dhcpd ping timeout milliseconds

        Example:

         ciscoasa(config)# dhcpd ping timeout 20 

        Define a default gateway that is sent to the DHCP clients. For routed mode, if you do not use the dhcpd option 3 ip command, then the ASA sends the DHCP server-enabled interface IP address as the default gateway. For transparent mode, you must set dhcpd option 3 ip if you want to set a default gateway; the ASA itself cannot act as the default gateway.

        dhcpd option 3 ip gateway_ip

        Example:

         ciscoasa(config)# dhcpd option 3 ip 10.10.1.1 

        Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface.

        dhcpd enable interface_name

        Example:

         ciscoasa(config)# dhcpd enable inside 

        Specify the same interface as the dhcpd address range.

        Configure Advanced DHCPv4 Options

        The ASA supports the DHCP options listed in RFC 2132, RFC 2562, and RFC 5510 to send information. All DHCP options (1 through 255) are supported except for 1, 12, 50–54, 58–59, 61, 67, and 82.

        Procedure

        Configure a DHCP option that returns one or two IP addresses:

        dhcpd option code ip addr_1 [ addr_2 ]

        Example:

         ciscoasa(config)# dhcpd option 150 ip 10.10.1.1 ciscoasa(config)# dhcpd option 3 ip 10.10.1.10 

        Option 150 provides the IP address or names of one or two TFTP servers for use with Cisco IP phones. Option 3 sets the default route for Cisco IP phones.

        Configure a DHCP option that returns a text string:

        dhcpd option code ascii text

        Example:

         ciscoasa(config)# dhcpd option 66 ascii exampleserver 

        Option 66 provides the IP address or name of a TFTP server for use with Cisco IP phones.

        Configure a DHCP option that returns a hexadecimal value.

        dhcpd option code hex value

        Example:

         ciscoasa(config)# dhcpd option 2 hex 22.0011.01.FF1111.00FF.0000.AAAA.1111.1111.1111.11 

        The ASA does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii hello command, and the ASA accepts the configuration, although option 46 is defined in RFC 2132 to expect a single-digit, hexadecimal value. For more information about option codes and their associated types and expected values, see RFC 2132.

        The following table shows the DHCP options that are not supported by the dhcpd option command.

        Table 1. Unsupported DHCP Options

        Configure the DHCPv6 Stateless Server

        For clients that use StateLess Address Auto Configuration (SLAAC) in conjunction with the Prefix Delegation feature (Enable the IPv6 Prefix Delegation Client), you can configure the ASA to provide information such as the DNS server or domain name when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets and does not assign addresses to the clients. You will configure the client to generate its own IPv6 address by enabling IPv6 autoconfiguration on the client. Enabling stateless autoconfiguration on a client configures IPv6 addresses based on prefixes received in Router Advertisement messages; in other words, based on the prefix that the ASA received using Prefix Delegation.

        Before you begin

        This feature is only supported in single, routed mode. This feature is not supported in clustering.

        Procedure

        Configure the IPv6 DHCP pool that contains the information you want the DHCPv6 server to provide:

        ipv6 dhcp pool pool_name

        Example:

         ciscoasa(config)# ipv6 dhcp pool Inside-Pool ciscoasa(config)# 

        You can configure separate pools for each interface if you want, or you can use the same pool on multiple interfaces.

        Configure one or more of the following parameters to be provided to clients in responses to IR messages:

        nis address nis_ipv6_address

        nis domain-name nis_domain_name

        nisp address nisp_ipv6_address

        nisp domain-name nisp_domain_name

        sip address sip_ipv6_address

        sip domain-name sip_domain_name

        sntp address sntp_ipv6_address

        Example:

         ciscoasa(config-dhcpv6)# domain-name example.com ciscoasa(config-dhcpv6)# import dns-server 

        The import command uses one or more parameters that the ASA obtained from the DHCPv6 server on the Prefix Delegation client interface. You can mix and match manually-configured parameters with imported parameters; however, you cannot configure the same parameter manually and in the import command.

        Enter interface configuration mode for the interface where you want the ASA to listen for IR messages:

        Example:

         ciscoasa(config)# interface gigabithethernet 0/0 ciscoasa(config-if)# 

        Enable the DHCPv6 server:

        ipv6 dhcp server pool_name

        Example:

         ciscoasa(config-if)# ipv6 dhcp server Inside-Pool ciscoasa(config-if)# 

        Configure the Router Advertisement to inform SLAAC clients about the DHCPv6 server:

        ipv6 nd other-config-flag

        This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain additional information from DHCPv6, such as the DNS server address.

        Example

        The following example creates two IPv6 DHCP pools, and enables the DHCPv6 server on two interfaces:

         ipv6 dhcp pool Eng-Pool domain-name eng.example.com import dns-server ipv6 dhcp pool IT-Pool domain-name it.example.com import dns-server interface gigabitethernet 0/0 ipv6 address dhcp setroute default ipv6 dhcp client pd Outside-Prefix interface gigabitethernet 0/1 ipv6 address Outside-Prefix ::1:0:0:0:1/64 ipv6 dhcp server Eng-Pool ipv6 nd other-config-flag interface gigabitethernet 0/2 ipv6 address Outside-Prefix ::2:0:0:0:1/64 ipv6 dhcp server IT-Pool ipv6 nd other-config-flag 

        Configure the DHCP Relay Agent

        When a DHCP request enters an interface, the DHCP servers to which the ASA relays the request depends on your configuration. You may configure the following types of servers:

        • Interface-specific DHCP servers—When a DHCP request enters a particular interface, then the ASA relays the request only to the interface-specific servers.
        • Global DHCP servers—When a DHCP request enters an interface that does not have interface-specific servers configured, the ASA relays the request to all global servers. If the interface has interface-specific servers, then the global servers are not used.

        Configure the DHCPv4 Relay Agent

        When a DHCP request enters an interface, the ASA relays the request to the DHCP server.

        Procedure

        Do one or both of the following:

        Specify a global DHCP server IP address and the interface through which it is reachable. dhcprelay server ip_address if_name Example:

         ciscoasa(config)# dhcprelay server 209.165.201.5 outside ciscoasa(config)# dhcprelay server 209.165.201.8 outside ciscoasa(config)# dhcprelay server 209.165.202.150 it 

         interface interface_id dhcprelay server ip_address 

         ciscoasa(config)# interface gigabitethernet 0/0 ciscoasa(config)# dhcprelay server 209.165.201.6 ciscoasa(config)# dhcprelay server 209.165.201.7 ciscoasa(config)# interface gigabitethernet 0/1 ciscoasa(config)# dhcprelay server 209.165.202.155 ciscoasa(config)# dhcprelay server 209.165.202.156 

        Enable the DHCP relay service on the interface connected to the DHCP clients. You can enable DHCP relay on multiple interfaces.

        dhcprelay enable interface

        Example:

         ciscoasa(config)# dhcprelay enable inside ciscoasa(config)# dhcprelay enable dmz ciscoasa(config)# dhcprelay enable eng1 ciscoasa(config)# dhcprelay enable eng2 ciscoasa(config)# dhcprelay enable mktg 

        (Optional) Set the number of seconds allowed for DHCP relay address handling.

        dhcprelay timeout seconds

        Example:

         ciscoasa(config)# dhcprelay timeout 25 

        (Optional) Change the first default router address in the packet sent from the DHCP server to the address of the ASA interface.

        dhcprelay setroute interface_name

        Example:

         ciscoasa(config)# dhcprelay setroute inside 

        This action allows the client to set its default route to point to the ASA even if the DHCP server specifies a different router.

        If there is no default router option in the packet, the ASA adds one containing the interface address.

        (Optional) Configure interfaces as trusted interfaces. Do one of the following:

        Specify a DHCP client interface that you want to trust:

         interface interface_id  dhcprelay information trusted 

         ciscoasa(config)# interface gigabitethernet 0/0 ciscoasa(config-if)# dhcprelay information trusted 

         ciscoasa(config)# dhcprelay information trust-all 

        Configure the DHCPv6 Relay Agent

        When a DHCPv6 request enters an interface, the ASA relays the request to all DHCPv6 global servers.

        Procedure

        Specify the IPv6 DHCP server destination address to which client messages are forwarded.

        ipv6 dhcprelay server ipv6_address [ interface ]

        Example:

         ciscoasa(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 

        The ipv6-address argument can be a link-scoped unicast, multicast, site-scoped unicast, or global IPv6 address. Unspecified, loopback, and node-local multicast addresses are not allowed as the relay destination. The optional interface argument specifies the egress interface for a destination. Client messages are forwarded to the destination address through the link to which the egress interface is connected. If the specified address is a link-scoped address, then you must specify the interface.

        Enable DHCPv6 relay service on an interface.

        ipv6 dhcprelay enable interface

        Example:

         ciscoasa(config)# ipv6 dhcprelay enable inside 

        (Optional) Specify the amount of time in seconds that is allowed for responses from the DHCPv6 server to pass to the DHCPv6 client through the relay binding for relay address handling.

        ipv6 dhcprelay timeout seconds

        Example:

         ciscoasa(config)# ipv6 dhcprelay timeout 25 

        Valid values for the seconds argument range from 1 to 3600. The default is 60 seconds.

        Configure Dynamic DNS

        When an interface uses DHCP IP addressing, the assigned IP address can change when the DHCP lease is renewed. When the interface needs to be reachable using a fully qualified domain name (FQDN), the IP address change can cause the DNS server resource records (RRs) to become stale. Dynamic DNS (DDNS) provides a mechanism to update DNS RRs whenever the IP address or hostname changes. You can also use DDNS for static or PPPoE IP addressing.

        DDNS updates the following RRs on the DNS server: the A RR includes the name-to-IP address mapping, while the PTR RR maps addresses to names.

        The ASA supports the following DDNS update methods:

        • Standard DDNS—The standard DDNS update method is defined by RFC 2136. With this method, the ASA and the DHCP server use DNS requests to update the DNS RRs. The ASA or DHCP server sends a DNS request to its local DNS server for information about the hostname and, based on the response, determines the main DNS server that owns the RRs. The ASA or DHCP server then sends an update request directly to the main DNS server. See the following typical scenarios.
          • The ASA updates the A RR, and the DHCP server updates the PTR RR. Typically, the ASA "owns" the A RR, while the DHCP server "owns" the PTR RR, so both entities need to request updates separately. When the IP address or hostname changes, the ASA sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request a PTR RR update.
          • The DHCP server updates both the A and PTR RR. Use this scenario if the ASA does not have the authority to update the A RR. When the IP address or hostname changes, the ASA sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request an A and PTR RR update.

          You can configure different ownership depending on your security needs and the requirements of the main DNS server. For example, for a static address, the ASA should own the updates for both records.

          DDNS is not supported on the BVI or bridge group member interfaces.

          Before you begin

          • Configure a DNS server on Configuration > Device Management > DNS > DNS Client . See Configure the DNS Servers.
          • Configure the device hostname and domain name on Configuration > Device Setup > Device Name/Password . See Set the Hostname, Domain Name, and the Enable and Telnet Passwords. If you do not specify the hostname per interface, then the device hostname is used. If you do not specify an FQDN, then for static or PPPoE IP addressing, the system domain name or the DNS server domain name is appended to the hostname.

          Procedure

          Standard DDNS method: Configure a DDNS update method to enable DNS requests from the ASA.

          You do not need to configure a DDNS update method if the DHCP server will perform all requests.

          Create an update method. ddns update method name

          Example:

           ciscoasa(config)# ddns update method ddns1 ciscoasa(DDNS-update-method)# 

          Example:

           ciscoasa(DDNS-update-method)# ddns 

          Example:

           ciscoasa(DDNS-update-method)# interval maximum 0 0 15 0 

          Web method: Configure a DDNS update method to enable HTTP update requests from the ASA.

          Create an update method. ddns update method name

          Example:

           ciscoasa(config)# ddns update method web1 ciscoasa(DDNS-update-method)# 

          Example:

           ciscoasa(DDNS-update-method)# web reference-identity dyndns 

          Example:

           ciscoasa(DDNS-update-method)# web update-url https://jcrichton:pa$$w0rd17@domains.example.com/nic/update?hostname=&myip=

          • both all —(Default) Updates all IPv4 and IPv6 addresses.
          • both —Updates the IPv4 address and the latest IPv6 address.
          • ipv4 —Updates only the IPv4 address.
          • ipv6 —Updates only the latest IPv6 address.
          • ipv6 all —Updates all IPv6 addresses.

          Example:

           ciscoasa(DDNS-update-method)# web update-type ipv4 

          Example:

           ciscoasa(DDNS-update-method)# interval maximum 0 0 15 0 

          Configure interface settings for DDNS, including setting the update method, DHCP client settings, and the hostname for this interface.

          Enter interface configuration mode. interface id

          Example:

           ciscoasa(config)# interface gigabitethernet1/1 ciscoasa(config-if)# 

          Example:

           ciscoasa(config-if)# ddns update ddns1 

          Example:

           ciscoasa(config-if)# ddns update hostname asa1.example.com 

          Note	You can also set these values globally for all interfaces using the dhcp-client update dns command. The per-interface settings take precedence over the global settings.

          • Default (no keywords)—Requests that the DHCP server perform the PTR RR update. This setting works in conjunction with a DDNS update method with ddns A Records enabled.
          • server both —Requests that the DHCP server perform both A and PTR RR updates. This setting does not require a DDNS update method to be associated with the interface.
          • server none —Requests the DHCP server not to perform updates. This setting works in conjunction with a DDNS update method with ddns both A and PTR records enabled.

          Example:

           ciscoasa(config-if)# ddns client update dns 

          The web method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection. See Configure Trustpoints.

          Example:

           crypto ca trustpoint DDNS_Trustpoint enrollment terminal crypto ca authenticate DDNS_Trustpoint nointeractive MIIFWjCCA0KgAwIBAgIQbkepxUtHDA3sM9CJuRz04TANBgkqhkiG9w0BAQwFADBH MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM [. ] quit 

          Standard DDNS Method for a Static IP Address

          The following example shows how to configure the standard DDNS method for use with a static IP address. Note that you do not configure DHCP client settings for this scenario.

           ! Define the DDNS method to update both RRs: ddns update method ddns-2 ddns both interface gigabitethernet1/1 ip address 209.165.200.225 ! Associate the method with the interface: ddns update ddns-2 ddns update hostname asa1.example.com 

          Example: Standard DDNS Method; ASA Updates A RR and DHCP Server Updates PTR RR

          The following example configures the ASA to update the A RR and the DHCP server to update the PTR RR.

           ! Define the DDNS method to update the A RR: ddns update method ddns-1 ddns interface gigabitethernet1/1 ip address dhcp ! Associate the method with the interface: ddns update ddns-1 ddns update hostname asa ! Set the client to update the A RR, and the server to update the PTR RR: dhcp client update dns 

          Example: Standard DDNS Method; No DHCP Server Update of RRs

          The following example configures the ASA to update both the A and PTR RR, while requesting the DHCP server to update no RRs.

           ! Define the DDNS method to update both RRs: ddns update method ddns-2 ddns both ! Associate the method with the interface: interface gigabitethernet1/1 ip address dhcp ddns update ddns-2 ddns update hostname asa1.example.com ! Set the client to update both RRs, and the server to update none: dhcp client update dns server none 

          Example: Standard DDNS Method; DHCP Server Updates all RRs

          The following example configures the DHCP client to request that the DHCP server to update both the A and PTR RRs. Because the server performs all updates, you do not need to associated an update method with the interface.

           interface gigabitethernet1/1 ip address dhcp ddns update hostname asa ! Configure the DHCP server to update both RRs: dhcp client update dns server both 

          Example: Web Type

          The following example configures the web type method.

           ! Define the web type method: ddns update method web-1 web update-url https://captainkirk:enterpr1s3@domains.cisco.com/ddns?hostname=&myip= ! Associate the method with the interface: interface gigabitethernet1/1 ip address dhcp ddns update web-1 ddns update hostname asa2.example.com 

          Monitoring DHCP and DDNS Services

          This section includes the procedures to monitor both DHCP and DDNS services.

          Monitoring DHCP Services

          • show dhcpd < binding [ IP_address ] | state | statistics >This command shows the current DHCP server client binding, state, and statistics.
          • show dhcprelay < state | statistics >This command displays the DHCP relay status and statistics.
          • show ipv6 dhcprelay binding This command shows the relay binding entries that were created by the relay agent.
          • show ipv6 dhcprelay statistics This command shows DHCP relay agent statistics for IPv6.
          • show ipv6 dhcp server statistics This command shows the DHCPv6 stateless server statistics. The following example shows information provided by this command:

           ciscoasa(config)# show ipv6 dhcp server statistics Protocol Exchange Statistics: Total number of Solicit messages received: 0 Total number of Advertise messages sent: 0 Total number of Request messages received: 0 Total number of Renew messages received: 0 Total number of Rebind messages received: 0 Total number of Reply messages sent: 10 Total number of Release messages received: 0 Total number of Reconfigure messages sent: 0 Total number of Information-request messages received: 10 Total number of Relay-Forward messages received: 0 Total number of Relay-Reply messages sent: 0 Error and Failure Statistics: Total number of Re-transmission messages sent: 0 Total number of Message Validation errors in received messages: 0 

           ciscoasa(config-if)# show ipv6 dhcp interface GigabitEthernet1/1 is in server mode Using pool: Sample-Pool GigabitEthernet1/2 is in client mode Prefix State is OPEN Renew will be sent in 00:03:46 Address State is OPEN Renew for address will be sent in 00:03:47 List of known servers: Reachable via address: fe80::20c:29ff:fe96:1bf4 DUID: 000100011D9D1712005056A07E06 Preference: 0 Configuration parameters: IA PD: IA ID 0x00030001, T1 250, T2 400 Prefix: 2005:abcd:ab03::/48 preferred lifetime 500, valid lifetime 600 expires at Nov 26 2014 03:11 PM (577 seconds) IA NA: IA ID 0x00030001, T1 250, T2 400 Address: 2004:abcd:abcd:abcd:abcd:abcd:abcd:f2cb/128 preferred lifetime 500, valid lifetime 600 expires at Nov 26 2014 03:11 PM (577 seconds) DNS server: 2004:abcd:abcd:abcd::2 DNS server: 2004:abcd:abcd:abcd::4 Domain name: relay.com Domain name: server.com Information refresh time: 0 Prefix name: Sample-PD Management1/1 is in client mode Prefix State is IDLE Address State is OPEN Renew for address will be sent in 11:26:44 List of known servers: Reachable via address: fe80::4e00:82ff:fe6f:f6f9 DUID: 000300014C00826FF6F8 Preference: 0 Configuration parameters: IA NA: IA ID 0x000a0001, T1 43200, T2 69120 Address: 2308:2308:210:1812:2504:1234:abcd:8e5a/128 preferred lifetime INFINITY, valid lifetime INFINITY Information refresh time: 0 

           ciscoasa(config-if)# show ipv6 dhcp interface outside statistics DHCPV6 Client PD statistics: Protocol Exchange Statistics: Number of Solicit messages sent: 1 Number of Advertise messages received: 1 Number of Request messages sent: 1 Number of Renew messages sent: 45 Number of Rebind messages sent: 0 Number of Reply messages received: 46 Number of Release messages sent: 0 Number of Reconfigure messages received: 0 Number of Information-request messages sent: 0 Error and Failure Statistics: Number of Re-transmission messages sent: 1 Number of Message Validation errors in received messages: 0 DHCPV6 Client address statistics: Protocol Exchange Statistics: Number of Solicit messages sent: 1 Number of Advertise messages received: 1 Number of Request messages sent: 1 Number of Renew messages sent: 45 Number of Rebind messages sent: 0 Number of Reply messages received: 46 Number of Release messages sent: 0 Number of Reconfigure messages received: 0 Number of Information-request messages sent: 0 Error and Failure Statistics: Number of Re-transmission messages sent: 1 Number of Message Validation errors in received messages: 0 

           ciscoasa(config)# show ipv6 dhcp ha statistics DHCPv6 HA global statistics: DUID sync messages sent: 1 DUID sync messages received: 0 DHCPv6 HA error statistics: Send errors: 0 

          On an standby unit:

           ciscoasa(config)# show ipv6 dhcp ha statistics DHCPv6 HA global statistics: DUID sync messages sent: 0 DUID sync messages received: 1 DHCPv6 HA error statistics: Send errors: 0 

          Troubleshooting DHCP Relay over VTI

          If the DHCP client fails to get an IP address:

          • Verify for Tunnel interface/VTI configuration in both the ASA sites.
          • Verify the packets transferred between the sites using the show crypto ipsec sa command: Example

           ciscoasa(config)# show crypto ipsec sa interface: outside Crypto map tag: cmap, seq num: 10, local addr: 192.168.2.111 access-list CSM_IPSEC_ACL_0 extended permit ip any4 any4 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.2.110 #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2

          Enable Debug Commands

          Enabling DHCP relay debugs helps you to know whether the DISCOVER/REQUEST packets were forwarded to DHCP relay server:

          • debug dhcprelay event 255
          • debug dhcprelay packet 255
          • debug dhcprelay error 255

           ciscoasa(config)# DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside interface DHCP: Received a BOOTREQUEST from interface 2 (size = 548) DHCPRA: relay binding found for client xxxx.xxxx.xxxx. DHCPRA: setting giaddr to 192.168.1.111. dhcpd_forward_request: request from xxxx.xxxx.xxxx forwarded to 192.168.3.112. DHCPD/RA: Relay msg received, fip=ANY, fport=0 on vti interface DHCP: Received a BOOTREPLY from relay interface 5 (size = 300, xid = xxxxxxxxx) at 04:40:52 UTC Tue Sep 10 2019 DHCPRA: relay binding found for client xxxx.xxxx.xxxx. DHCPD/RA: creating ARP entry (192.168.1.88, xxxx.xxxx.xxxx). DHCPRA: Adding rule to allow client to respond using offered address 192.168.1.95 DHCPRA: forwarding reply to client xxxx.xxxx.xxxx. DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside interface

          Monitoring DDNS Status

          See the following command for monitoring DDNS status.

          show ddns update < interface if_name | method [ name ]>This command shows the DDNS update status. The following example show details about the DDNS update method:

           ciscoasa# show ddns update method ddns1 Dynamic DNS Update Method: ddns1 IETF standardized Dynamic DNS 'A' record update 

          The following example shows details about the web update method:

           ciscoasa# show ddns update method web1 Dynamic DNS Update Method: web1 Dynamic DNS updated via HTTP(s) protocols URL used to update record: https://cdarwin:*****@ddns.cisco.com/update?hostname=&myip=

          The following example shows information about the DDNS interface:

           ciscoasa# show ddns update interface outside Dynamic DNS Update on outside: Update Method Name Update Destination test not available 

          The following example shows a successful web type update:

           ciscoasa# show ddns update interface outside Dynamic DNS Update on outside: Update Method Name Update Destination test not available Last Update attempted on 09:01:52.729 UTC Mon Mar 23 2020 Status : Success FQDN : asa1.example.com IP addresses(s): 10.10.32.45,2001:DB8::1 

          The following example shows a web type failure:

           ciscoasa# show ddns update interface outside Dynamic DNS Update on outside: Update Method Name Update Destination test not available Last Update attempted on 09:01:52.729 UTC Mon Mar 23 2020 Status : Failed Reason : Could not establish a connection to the server 

          The following example shows that the DNS server returned an error for the web type update:

           ciscoasa# show ddns update interface outside Dynamic DNS Update on outside: Update Method Name Update Destination test not available Last Update attempted on 09:01:52.729 UTC Mon Mar 23 2020 Status : Failed Reason : Server error (Error response from server) 

          The following example shows that a web update was not yet attempted due to the IP address unconfigured or the DHCP request failed, for example:

           ciscoasa# show ddns update interface outside Dynamic DNS Update on outside: Update Method Name Update Destination test not available Last Update Not attempted 

          History for DHCP and DDNS Services

          DDNS support for the web update method

          You can now configure an interface to use DDNS with the web update method.

          New/Modified commands: show ddns update interface , show ddns update method , web update-url , web update-type

          DHCP relay server support on VTIs

          You can now enable DHCP relay on VTIs.

          New/Modified commands: dhcprelay server .

          ASA supports DHCP reservation. The DHCP server assigns a static IP address from the defined address pool to a DHCP client based on the client's MAC address.

          New/Modified commands: dhcpd reserve-address .

          The ASA now supports the following features for IPv6 addressing:

          • DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.
          • DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.
          • BGP router advertisement for delegated prefixes
          • DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

          We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address

          You can now monitor DHCP statistics for IPv6 and DHCP bindings for IPv6.

          DHCP Relay server validates the DHCP Server identifier for replies

          If the ASA DHCP relay server receives a reply from an incorrect DHCP server, it now verifies that the reply is from the correct server before acting on the reply. We did not introduce or modify any commands. We did not modify any ASDM screens.

          We did not introduce or modify any commands.

          DHCP rebind function

          During the DHCP rebind phase, the client now tries to rebind to other DHCP servers in the tunnel group list. Before this release, the client did not rebind to an alternate server when the DHCP lease fails to renew.

          We did not introduce or modify any commands.

          DHCP trusted interfaces

          You can now configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface.

          We introduced or modified the following commands: dhcprelay information trusted, dhcprelay information trust-all, show running-config dhcprelay.

          DHCP relay servers per interface (IPv4 only)

          You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay.

          We introduced or modified the following commands: dhcprelay server (interface config mode), clear configure dhcprelay, show running-config dhcprelay.

          DHCP relay for IPv6 (DHCPv6)

          DHCP relay support for IPv6 was added.

          We introduced the following commands: ipv6 dhcprelay server, ipv6 dhcprelay enable, ipv6 dhcprelay timeout, clear config ipv6 dhcprelay, ipv6 nd managed-config-flag, ipv6 nd other-config-flag, debug ipv6 dhcp, debug ipv6 dhcprelay, show ipv6 dhcprelay binding, clear ipv6 dhcprelay binding, show ipv6 dhcprelay statistics, and clear ipv6 dhcprelay statistics.

          We introduced this feature.

          We introduced the following commands: ddns, ddns update, dhcp client update dns, dhcpd update dns, show running-config ddns, and show running-config dns server-group.

          The ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces.

          We introduced the following commands: dhcp client update dns, dhcpd address, dhcpd domain, dhcpd enable, dhcpd lease, dhcpd option, dhcpd ping timeout, dhcpd update dns, dhcpd wins, dhcp-network-scope, dhcprelay enable, dhcprelay server, dhcprelay setroute, dhcp-server. show running-config dhcpd, and show running-config dhcprelay.