DHCP won't work on an internal network enabled by static nat

Y W — Tue, 12 Mar 2019 09:37:32 GMT

Hi All,

I am running into a very wierd behavior.

I have 2 internal networks (inside, dmz) that I used static nat in order to get data to flow between the two networks.

but whenever the static nat is applied, the hosts on the dmz side seems not able to acquire an ip address from the asa5505

the ones that already have an ip will work fine.

this issue does not affect the hosts in the inside network.

no i am not anywhere near the host limit of asa5505

the minute i took out the static mapping the dmz will resume to get the ip address.

here is a sudo code of the configuration.

thanks you in advance.

basemodel ASA5505

show local-host is less than 6 hosts

using 8.2.5(59) //sorry i am not a big fan of 8.3+ that deprecated the nat and global command.

I have inside, dmz, outside 3 vlan being used.

inside ip add 10.0.INS.1

/24

security-level 100

e0/1-e0/3 switchport access this vlan

dmz ip add 10.0.DMZ.1

/24

security-level 50

no forward int vlan 1

e0/5-6 switchport access this vlan

e5 is attached to a wifi ap that basically just airborns the network.

e6 was used to test hardwire connection without wifi. same results

outside ip add 4.4.OUT.1

public ip static ip address

e0/0 switchport access this vlan

PAT out to the internet

nat (inside) 10 10.0.INS.0 /24

nat (dmz) 10 10.0.DMZ.0 /24

global (outside) 10 interface

couple of ports forwarded to an DMZ host

static (dmz,outside) tcp interface 8000 10.0.DMZ.100 8000 netmask /32

access-list NAME extended permit tcp any interface outside eq 8000

access-group NAME in interface outside

DHCP the network
dhcpd address 10.0.INS.100-10.0.INS.130 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside

dhcpd address 10.0.DMZ.100-10.0.DMZ.130 dmz
dhcpd dns 4.2.2.2 8.8.8.8 interface dmz
dhcpd enable dmz

I wanted the inside to have one way traffic to the dmz hosts, but dmz hosts can not initiate traffic to inside.

static (inside,dmz) 10.0.DMZ.0 10.0.INS.0 netmask /24

after the above statement was put in the DHCP in the DMZ will just cease to function.

the minute I take it away thing will work again.

Can anyone let me know why?

Thanks in advance.

You need to put another nat

Spooster IT Services — Tue, 27 Jun 2017 13:47:55 GMT

You need to put another nat statement from dmz to inside.

static (dmz,inside) 10.0.INS.0 10.0.DMZ.0 netmask /24

topic You need to put another nat in Network Security

DHCP won't work on an internal network enabled by static nat

You need to put another nat