Translate_hits = 0, untranslate_hits = 641 If you use the packet-tracer utility on the ASA to simulate the DHCP DISCOVER packet that enters the DMZ2 interface, the problem can be identified as caused by the NAT configuration: tutera-firewall# packet-tracer input DMZ2 udp 0.0.0.0 68 255.255.255.255 67 detail If you remove the incorrectly configured NAT statement, it resolves the problem. The broadcast DHCP DISCOVER packets (destined to 255.255.255.255) match this NAT statement which causes the failure: static (DMZ1,DMZ2) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 The configuration contains a broad static Network Address Translation (NAT) statement that encompasses all IP traffic on that subnet. The packets are dropped by the Accelerated Security Path (ASP), and a capture applied to the ASP indicates the DHCP DISCOVER packets are dropped due to "Slowpath security checks failed:" ASA# capture asp type asp-drop allġ: 14:57:05.627241 802.1Q VLAN# 10 P0 0.0.0.0.68 > 255.255.255.255.67: The ASA does not reply back with an OFFER packet. Under Real Address type the destination, or internal address. Click Add, then select Add Static NAT Rule. Click Configuration at the top, then NAT on the left.