03-08-2019 03:06 AM - edited 02-21-2020 08:55 AM
Hello!
Just had to troubleshoot an issue where an internal firewall messed upp the network on its outside interface. The clients could not get addresses from the local DHCP server.
This is the network Layout:
On the "Internal ASA" there was this NAT rule:
nat (inside,outside) source static any any no-proxy-arp route-lookup
which caused the clients on the 192.168.5.0 network to not get any addresses from the DHCP server.
default route on Internal ASA is configured as:
route outside 0.0.0.0 0.0.0.0 192.168.5.1
Why is that?
The key here is that the 172.16.0.0 network behind Internal ASA should not be accessible from 192.168.5.0 network at all.
Actually, that 172.16.0.0 network is an remote network for a site to site VPN Connection which is only used for lab purposes.
I cannot see why the Internal ASA would cause the DHCP server not being able to respond to broadcast DHCP requests..??
03-08-2019 04:23 AM
03-08-2019 05:28 AM
03-08-2019 05:53 AM
Hi,
Normally asa not passing broadcasts to other side. I guess you have configured the dhcp relay.
In your case you can block these subnet communication with ACLs. Also asa will not reply to arp request because of 'no proxy arp'
I am not sure whether it is having some affect. You can try removing that command and 'route lookup' too for testing.
03-08-2019 06:35 AM
03-08-2019 01:27 PM
03-09-2019 12:42 AM
03-10-2019 03:04 AM
03-12-2019 03:08 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: