topic Re: asa 8.6 static command in Network Security

asa 8.6 static command

todd.hauf — Mon, 11 Mar 2019 23:32:54 GMT

Am trying the following command on ASA 8.61, however it appears the static command no longer works. Would appreciate any insights.

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

Thanks.

asa 8.6 static command

Karsten Iwen — Thu, 19 Jul 2012 20:01:53 GMT

the NAT-configuration completely changed beginning with v8.3. Here are some examples:

https://supportforums.cisco.com/docs/DOC-9129

Re: asa 8.6 static command

todd.hauf — Thu, 19 Jul 2012 21:32:33 GMT

sorry i am lost

We are trying to get our dhcp server (public.x.x.x) on vlan 1 with 10.25.0.1 scope to service the asa on vlan 3.

We input the following:

dhcprelay server public.x.x.x outside

dhcprelay enable inside

dhcprelay setroute inside

I thought the next step was to create a static from the inside to outside for the IP address of the inside interface. I thought this would allow the inside interface to relay the dhcp broadcast to your dhcp server with its private address. The command on pre8.3 was something like:

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

asa 8.6 static command

Karsten Iwen — Fri, 20 Jul 2012 14:38:20 GMT

I'm pretty sure you don't need NAT for the dhcprelay to work. NAT is for traffic passing through the ASA, but with dhcprelay the ASA receives the packets and generates a new request based on the received packet. There shouldn't be any NAT be involved.

asa 8.6 static command

Ramraj Sivagnanam Sivajanam — Sun, 22 Jul 2012 10:42:21 GMT

Hi Bro

Since your LAN users are on the INSIDE and your DHCP Server is on the OUTSIDE, you'll need to enable DHCP RELAY in your Cisco ASA FW. Here a guide http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml

P/S: If you think this comment is useful, please do rate them nicely 🙂

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 17:40:50 GMT

Thanks Ramraj,

I have the options set as the gui suggests my external dhcp server is at 165.234.128.9 and i have a scope setup on it for 10.25.0.0:

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside

dhcprelay enable inside

Within that link you mention above i am having trouble with the ip route statement:

!--- This command creates a static route in order to
!--- route the reply packets to the DHCP relay interface.

ip route 10.1.1.0 255.255.255.0 10.2.1.1

the command ip route is not available apparantly on ver 8.6, below is what happens:

ciscoasa(config)# ip route
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# ip ?

configure mode commands/options:
audit Configure the Intrusion Detection System
local Define a local pool of IP addresses
verify Configure Unicast Reverse Path Filtering on an interface

Re: asa 8.6 static command

Karsten Iwen — Mon, 23 Jul 2012 17:54:24 GMT

the "ip route" is no command that you have to enter on the ASA. The config you posted on

19.07.2012, 23:34 is exactly what you need to enable a DHCP relay. Nothing more is needed.

If it still doesn't work, the reason will probably be somewhere else. You could try to capture the packets to see how far they get.

Re: asa 8.6 static command

Karsten Iwen — Mon, 23 Jul 2012 18:18:01 GMT

And just to make sure we're talking about the same scenario:

Your clients are directly connected to the inside interface on the ASA without a L3-instance between them?

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 18:29:31 GMT

The ASA outside interface is connected to cisco 4507 gig 2/45, the inside interface is connected to same cisco 4507 gig 2/46. The client is connected to the same 4507 in gig 1/20.

gig 2/46 and gig 1/20 have the following config line:

switchport access vlan 3

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 18:36:52 GMT

didn't see your earlier post. Was on tech support with ciso and they did setup a packet trace. They found the packets are getting to the dhcp server but when the server replies they are being discarded. Cisco thought it was configuration of the external dhcp server but we have not found a solution that works yet.

Re: asa 8.6 static command

Karsten Iwen — Mon, 23 Jul 2012 18:45:48 GMT

what is the log message when the packets are discarded?

Sent from Cisco Technical Support iPad App

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 18:54:30 GMT

example of what we see in the log:

%ASA-7-710005: UDP request discarded from 165.234.128.9/67 to outside:255.255.255.255/68

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 18:58:46 GMT

Attached are the packet trace files.

Filtering with ip.addr==165.234.128.9 should show what is happening.

Re: asa 8.6 static command

Karsten Iwen — Mon, 23 Jul 2012 21:10:51 GMT

In the asp.pcap, there are only DHCP-offers with client-addresses in the 165.234.128.0-network. Are these captures really related to the problem? The DHCP-server should offer an IP in the 10.25.0.0/20 network.

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 21:24:37 GMT

That is a question we have been asking ourselves too.

When filtering asp.pcap with ip.addr==165.234.128.9 on row No. 103 we find the mac address of the client we are trying to get an ip address on (64:31:50:95:43:2c).

We have 2 scopes on our dhcp server. How does a client on the inside of the ASA know which scope to pick from and for the matter how does one on the outside know which scope to pick from?

Re: asa 8.6 static command

Karsten Iwen — Mon, 23 Jul 2012 21:44:18 GMT

The relay-agent includes his own ip address from that interface that received the DHCP-request. The DHCP-server then searches for a matching scope. You have a DHCP-Pool starting at 10.25.0.0?

Re: asa 8.6 static command

todd.hauf — Mon, 23 Jul 2012 22:17:47 GMT

The scope is 10.25.0.0

starting ip is 10.25.0.1 ending ip is 10.25.15.254

Re: asa 8.6 static command

Karsten Iwen — Tue, 24 Jul 2012 06:51:30 GMT

To get more information where the problem is, I would set up an additional DHCP-Server (an IOS-router or -switch) with the same scope and add this server to the ASA ("dhcprelay server 165.234.128.X outside"). When there are two DHCP-servers specified, both should get the request and we can see if the second server answers in a way that the ASA accepts.

Re: asa 8.6 static command

Ramraj Sivagnanam Sivajanam — Wed, 25 Jul 2012 09:32:53 GMT

Hi Bro

Your DHCPRELAY configuration is wrong. You are currently having this, which is wrong;

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside <--- This is your DHCP Scope not your DHCP Server

dhcprelay enable inside

Instead, you should have this;

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

P/S: If you think this comment is useful, please do rate them nicely 🙂

Re: asa 8.6 static command

todd.hauf — Wed, 25 Jul 2012 15:55:09 GMT

Thanks for your continued attention.

The configuration you suggest was our original configuration:

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

However we are unable to get an ip address on the client.

We did setup another dhcp server and put it on the inside, changed the config to no dhcprelay.... . And the client was able to get an ip and had internet access.

So we have been successful in using the ASA's dhcp server, also successful in using an stand-alone dhcp server located on the inside of the ASA (with the ASA's dhcp server disabled).

But when we try to get the dhcp server on the outside as you have stated in the above commands we have not had success.