07-19-2012 09:50 AM - edited 03-11-2019 04:32 PM
Am trying the following command on ASA 8.61, however it appears the static command no longer works. Would appreciate any insights.
static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0
Thanks.
07-23-2012 02:44 PM
The relay-agent includes his own ip address from that interface that received the DHCP-request. The DHCP-server then searches for a matching scope. You have a DHCP-Pool starting at 10.25.0.0?
07-23-2012 03:17 PM
The scope is 10.25.0.0
starting ip is 10.25.0.1 ending ip is 10.25.15.254
07-23-2012 11:51 PM
To get more information where the problem is, I would set up an additional DHCP-Server (an IOS-router or -switch) with the same scope and add this server to the ASA ("dhcprelay server 165.234.128.X outside"). When there are two DHCP-servers specified, both should get the request and we can see if the second server answers in a way that the ASA accepts.
07-25-2012 02:32 AM
Hi Bro
Your DHCPRELAY configuration is wrong. You are currently having this, which is wrong;
dhcprelay server 165.234.128.9 outside
dhcprelay server 10.25.0.1 outside <--- This is your DHCP Scope not your DHCP Server
dhcprelay enable inside
Instead, you should have this;
dhcprelay server 165.234.128.9 outside
dhcprelay enable inside
dhcprelay setroute inside
P/S: If you think this comment is useful, please do rate them nicely :-)
07-25-2012 08:55 AM
Thanks for your continued attention.
The configuration you suggest was our original configuration:
dhcprelay server 165.234.128.9 outside
dhcprelay enable inside
dhcprelay setroute inside
However we are unable to get an ip address on the client.
We did setup another dhcp server and put it on the inside, changed the config to no dhcprelay.... . And the client was able to get an ip and had internet access.
So we have been successful in using the ASA's dhcp server, also successful in using an stand-alone dhcp server located on the inside of the ASA (with the ASA's dhcp server disabled).
But when we try to get the dhcp server on the outside as you have stated in the above commands we have not had success.
07-25-2012 09:01 AM
Hi Bro
Why don't you show us your show run, and we can assist you further
07-25-2012 09:22 AM
Here is the running-config:
ciscoasa#
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)
!
hostname ciscoasa
enable password ibqCJZNHhOXYLjS3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 165.234.128.203 255.255.248.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.25.0.1 255.255.240.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
object-group network wireless
network-object 10.25.0.0 255.255.255.0
access-list outbound extended permit ip any any
access-list outbound extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
nat (inside,outside) after-auto source dynamic any interface
access-group outbound in interface outside
access-group outbound in interface inside
access-group outbound out interface inside
route outside 0.0.0.0 0.0.0.0 165.234.128.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 165.234.128.9 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
username admin password RSRFwwciBS8x/1/M encrypted
username dsu password RSRFwwciBS8x/1/M encrypted privilege 15
username pix password n5jkqOP4vOe/4pzS encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 10
subscribe-to-alert-group configuration periodic monthly 10
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:49ca48250c21eec0abd300facb57c935
: end
ciscoasa#
07-25-2012 09:49 AM
Hi Bro
Please do this, and let me know the outcome;
interface GigabitEthernet0/1
no ip address 10.25.0.1 255.255.240.0
ip address 10.25.0.1 255.255.255.0
no nat (inside,outside) after-auto source dynamic any interface
no nat-control
no access-group outbound out interface inside
no dhcpd address 192.168.1.2-192.168.1.254 management
route outside 165.234.128.9 255.255.255.255 165.234.128.2 // Try with this, and without this //
07-25-2012 10:33 AM
Did as above with exception of , no nat-control.
following was the output when i tried:
ciscoasa(config)# no nat
ERROR: % Incomplete command
ciscoasa(config)# nat ?
configure mode commands/options:
( Open parenthesis for (
pair where
interface and
interface
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ciscoasa(config)# nat
07-25-2012 11:37 AM
Hi Todd
The nat-control command is deprecated.
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212
Regards Craig
07-28-2012 10:40 AM
Hi Bro
Is everything OK now?
07-30-2012 06:57 AM
Have been unsuccessful in getting clients on the inside of the ASA to receive an ip address from the DHCP Server outside the ASA.
07-30-2012 07:17 AM
Have you tried a different DHCP-Server on the outside to see what happens?
07-31-2012 08:07 AM
Can you paste here the output of the command "debug dhcprelay packet"
07-31-2012 08:43 AM
Here is the output of debug chcprelay packet:
ciscoasa# debug dhcprelay packet
debug dhcprelay packet enabled at level 1
ciscoasa# DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
DHCPRA: relay binding found for client 6431.5095.432c.
DHCPD: setting giaddr to 10.25.0.1.
dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: