Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
5
Replies

5505 as dhcp help.

Go to solution
smitty0375
Level 1
Level 1

‎12-05-2011 12:43 PM - edited ‎03-11-2019 02:59 PM

Hey guys.

I am opening a small branch office in another state and the equipment we purchased is as follows:

ASA5505

3560G.

We'll use a site to site vpn but just in case there's connectivity issues I'd like to use the ASA as DHCP. So far I have a scope defined in the ASA and if I plug a laptop directly in I get an applicable IP address.

I trunked the port on the switch that goes to the ASA but not the one on the ASA itself (license restriction)

The VLAN that I'm using for my PC's has an ip helper address that is assigned to the inside IP of the ASA.

How can I make it where I can plug a PC into the switch and get a valid IP?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to smitty0375

‎12-06-2011 07:12 AM

Hi Jerry,

Apparently you can't achieve what you want to do with the ASA as a DHCP server.

here is an excerpt taken from here:http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html

You cannot configure a DHCP client or DHCP Relay  services on an interface on which the server is enabled. Additionally,  DHCP clients must be directly connected to the interface on which the  server is enabled.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-05-2011 03:53 PM

Hello Jerry,

So the DHCP service provided by the ASA is working, seems like the problem is related to the switch, on the ASA side I would like to see if the DHCP Discovery request are getting into the inside interface of the ASA because does not looks like.

For this lets create a capture.

access-list DHCP permit udp any any range 67  68

capture capin access-list DHCP interface inside

Provide us the following outputs while the Laptop is trying to get an ip?

-Show capture capin

-show run dhcpd

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
svaish
Level 1
Level 1

‎12-06-2011 04:48 AM

ASA 5505 Default Configuration

The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.

An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.

The default route is also derived from DHCP.

All inside IP addresses are translated when accessing the outside using interface PAT.

By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside.

The  DHCP server is enabled on the security appliance, so a PC connecting to  the VLAN 1 interface receives an address between 192.168.1.2 and  192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands: 

interface Ethernet 0/0


   switchport access vlan 2


   no shutdown


interface Ethernet 0/1


   switchport access vlan 1


   no shutdown


interface Ethernet 0/2


   switchport access vlan 1


   no shutdown


interface Ethernet 0/3


   switchport access vlan 1


   no shutdown


interface Ethernet 0/4


   switchport access vlan 1


   no shutdown


interface Ethernet 0/5


   switchport access vlan 1


   no shutdown


interface Ethernet 0/6


   switchport access vlan 1


   no shutdown


interface Ethernet 0/7


   switchport access vlan 1


   no shutdown


interface vlan2


   nameif outside


   no shutdown


   ip address dhcp setroute


interface vlan1


   nameif inside


   ip address 192.168.1.1 255.255.255.0


   security-level 100


   no shutdown


global (outside) 1 interface


nat (inside) 1 0 0


http server enable


http 192.168.1.0 255.255.255.0 inside


dhcpd address 192.168.1.2-192.168.1.254 inside


dhcpd auto_config outside


dhcpd enable inside


logging asdm informational

This is the default configuration of the ASA

So if it in default configuration and you connect your PC to any of the interface other then 

Ethernet 0/0

you should be able to get an ip address.

Sachin

0 Helpful

Go to solution
smitty0375
Level 1
Level 1

‎12-06-2011 06:07 AM

I have attached the configs on each. I am not getting traffic from ASA to switch. I can't trunk the ASA ports due to the license I have.

118441-switch.txt.zip
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to smitty0375

‎12-06-2011 07:12 AM

Hi Jerry,

Apparently you can't achieve what you want to do with the ASA as a DHCP server.

here is an excerpt taken from here:http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html

You cannot configure a DHCP client or DHCP Relay  services on an interface on which the server is enabled. Additionally,  DHCP clients must be directly connected to the interface on which the  server is enabled.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
smitty0375
Level 1
Level 1
In response to cadet alain

‎12-09-2011 11:53 AM

Hello all. I ended up using my 3560 as dhcp. Thanks for all the replies.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card