Re: asa 8.6 static command - Page 2

todd.hauf · ‎07-19-2012

Am trying the following command on ASA 8.61, however it appears the static command no longer works. Would appreciate any insights.

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

Thanks.

Karsten Iwen · ‎07-23-2012

The relay-agent includes his own ip address from that interface that received the DHCP-request. The DHCP-server then searches for a matching scope. You have a DHCP-Pool starting at 10.25.0.0?

todd.hauf · ‎07-23-2012

The scope is 10.25.0.0

starting ip is 10.25.0.1 ending ip is 10.25.15.254

Karsten Iwen · ‎07-23-2012

To get more information where the problem is, I would set up an additional DHCP-Server (an IOS-router or -switch) with the same scope and add this server to the ASA ("dhcprelay server 165.234.128.X outside"). When there are two DHCP-servers specified, both should get the request and we can see if the second server answers in a way that the ASA accepts.

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

Your DHCPRELAY configuration is wrong. You are currently having this, which is wrong;

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside <--- This is your DHCP Scope not your DHCP Server

dhcprelay enable inside

Instead, you should have this;

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

todd.hauf · ‎07-25-2012

Thanks for your continued attention.

The configuration you suggest was our original configuration:

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

However we are unable to get an ip address on the client.

We did setup another dhcp server and put it on the inside, changed the config to no dhcprelay.... . And the client was able to get an ip and had internet access.

So we have been successful in using the ASA's dhcp server, also successful in using an stand-alone dhcp server located on the inside of the ASA (with the ASA's dhcp server disabled).

But when we try to get the dhcp server on the outside as you have stated in the above commands we have not had success.

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

Why don't you show us your show run, and we can assist you further

Warm regards,
Ramraj Sivagnanam Sivajanam

todd.hauf · ‎07-25-2012

Here is the running-config:

ciscoasa#

ciscoasa# show running-config

: Saved

:

ASA Version 8.6(1)

!

hostname ciscoasa

enable password ibqCJZNHhOXYLjS3 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 165.234.128.203 255.255.248.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.25.0.1 255.255.240.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

object-group network wireless

network-object 10.25.0.0 255.255.255.0

access-list outbound extended permit ip any any

access-list outbound extended permit icmp any any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic any interface

access-group outbound in interface outside

access-group outbound in interface inside

access-group outbound out interface inside

route outside 0.0.0.0 0.0.0.0 165.234.128.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

csd image disk0:/csd_3.5.2008-k9.pkg

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

username admin password RSRFwwciBS8x/1/M encrypted

username dsu password RSRFwwciBS8x/1/M encrypted privilege 15

username pix password n5jkqOP4vOe/4pzS encrypted

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 10

subscribe-to-alert-group configuration periodic monthly 10

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:49ca48250c21eec0abd300facb57c935

: end

ciscoasa#

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

Please do this, and let me know the outcome;

interface GigabitEthernet0/1
no ip address 10.25.0.1 255.255.240.0
ip address 10.25.0.1 255.255.255.0

no nat (inside,outside) after-auto source dynamic any interface

no nat-control

no access-group outbound out interface inside

no dhcpd address 192.168.1.2-192.168.1.254 management

route outside 165.234.128.9 255.255.255.255 165.234.128.2 // Try with this, and without this //

Warm regards,
Ramraj Sivagnanam Sivajanam

todd.hauf · ‎07-25-2012

Did as above with exception of , no nat-control.

following was the output when i tried:

ciscoasa(config)# no nat
ERROR: % Incomplete command
ciscoasa(config)# nat ?

configure mode commands/options:
(               Open parenthesis for (,)
                  pair where is the Internal or prenat
                  interface and is the External or postnat
                  interface
<1-2147483647> Position of NAT rule within before auto section
after-auto      Insert NAT rule after auto section
source          Source NAT parameters
ciscoasa(config)# nat

craig bache · ‎07-25-2012

Hi Todd

The nat-control command is deprecated.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

Regards Craig

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

Is everything OK now?

Warm regards,
Ramraj Sivagnanam Sivajanam

todd.hauf · ‎07-30-2012

Have been unsuccessful in getting clients on the inside of the ASA to receive an ip address from the DHCP Server outside the ASA.

Karsten Iwen · ‎07-30-2012

Have you tried a different DHCP-Server on the outside to see what happens?

Ramraj Sivagnanam Sivajanam · ‎07-31-2012

Can you paste here the output of the command "debug dhcprelay packet"

Warm regards,
Ramraj Sivagnanam Sivajanam

todd.hauf · ‎07-31-2012

Here is the output of debug chcprelay packet:

ciscoasa# debug dhcprelay packet

debug dhcprelay packet enabled at level 1

ciscoasa# DHCPRA: relay binding found for client 6431.5095.432c.