cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1495
Views
5
Helpful
5
Replies

Cisco ASA 5506-X Dynamic IP address from ISP

Levoo
Level 1
Level 1

So I bought a 5506-X for my home to practice with a lot of equipment like a 3560-8pc, WLC2504 and 2 2702 access points. It's a huge project for a starter but I already hit a bump in the road.

 

I got my ISP to bridge the cable modem so I can receive the signal on my firewall. Too bad the ISP isn't handing out static IP addresses so this means I have to configure port Gi1/1 to dhcp client, which I did. But it still isn't receiving an IP address. Can someone help me out please?

 

ciscoasa(config)# sh run

ASA Version 9.8(3)14
!
hostname ciscoasa
names
no mac-address auto

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 nameif management
 security-level 0
 no ip address
!
ftp mode passive
pager lines 24
mtu management 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5 
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
 cache
  disable
 error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map 
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters   
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
: end
5 Replies 5

johnd2310
Level 8
Level 8

Hi,

 

Why are you bridging the cable modem?  Can you confirm that the bridging is configured correctly?  It would be easier to first test with the modem configured  in non-bridge mode and routing configured between firewall and cable modem.

 

Thanks

John

**Please rate posts you find helpful**

The cable modem is bridged because it's a modem, router, switch and access point in one, delivered by the ISP. Since I cannot set routes in this modem (for a second subnet) I had to bridge it. The bridging itself is done by the ISP, they told me it was bridged correctly so I have to assume its okay.

 

The Issue now is that I can't get an IP address on interface Gi1/1 on my asa, which is configured as a DHCP client, so the ISP can't assign me an IP address. Also my ISP doesn't work with static IPs so that's why I configured Gi1/1 as a DHCP client.

 

This is the config for now

ciscoasa# sh run int gi1/1
!
interface GigabitEthernet1/1
 description outside
 mac-address 3843.7d2a.f68d
 nameif outside
 security-level 0
 dhcp client update dns
 ip address dhcp setroute

Levoo
Level 1
Level 1

So I tested if the modem was bridged correctly and it was. I hooked up my laptop directly to the modem and got an IP adres, so that means the bridging on the modem and ISP side are just fine. The one thing now is the fact that the ASA doesn't get the IP/DNS config from the DHCP server at the ISP. is there something wrong with my config?

Levoo
Level 1
Level 1

So I monitored the DHCP request and it says its sending the DHCP broadcast on interface 2. I've read somewhere else that someone had the broadcast on interface 1, which is kind of relatable since the outside interface is Gi1/1.

 

I really hope someone can help me.

 

IMG_0696.jpegIMG_0695.jpeg

Hi,

You will need to capture traffic on the outside interface to see what is happening with the dhcp traffic. We need to see if there is traffic to and from the dhcp server. You can perform the capture form the ASA using the capture command e.g.

 

  • shutdown outside interface (shutdown gi1/1)
  • issue command "capture fw1interface outside"
  • enable outside interface ( no shutdown gi1/1)

Use " show capture" to see how much traffic has been captured.

After capture for a few minutes, stop the capture with command "capture  fw1 stop"

You can look at the captured packets with command " show capture fw1 detail"

You can export the capture to you laptop with command "copy  /pcap capture:fw1 tftp:"

view capture on laptop using wireshark.

 

Thanks

John

 

**Please rate posts you find helpful**
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: