12-16-2011 02:19 PM - edited 03-11-2019 03:03 PM
Hi
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC.
(Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside".
So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection.
(Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
How can I setup this test net?
Solved! Go to Solution.
12-20-2011 12:54 PM
Hello Frank,
For the DHCP to work:
dhcpd adresss 192.168.2.2 192.168.2.254 inside
dhcpd enable inside
dhcpd dns 4.2.2.2 interface inside
For the PC on the inside to be able to access ASDM
http 0 0 inside
Please rate helpful posts,
Julio
12-16-2011 03:06 PM
Hello Frank,
Correct, you cannot have the same ip address on two interfaces because the ASA got to divide the broadcast domain (routed mode)
So you need to change the DCHP scoope address ( Ip address and DHCP configuration on the router) or change the inside interface of the ASA.
Option 1:
On the ASA
vlan 1
no ip add
ip add 192.168.2.1 255.255.255.0
Option2:
On the router ( lets say port 0/1 is connected to the ASA)
Interface ethernet 0/1
no ip add
ip add 192.168.2.1 255.255.255.0
ip dhcp pool Inside_Firewall
network 192.168.3.0 255.255.255.0
default-router 192.168.2.1
ip dhcp excluded-address 192.168.2.1
This two solutions will do it for you..
Please rate helpful hosts.
Regards,
Julio
12-19-2011 02:03 PM
Thanks.
The commands seems to work (Except it should be "interface vlan 1" to be accepted).
- But still no working asa.
The sesson:
ciscoasa(config)# vlan 1
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# no ip add
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
ciscoasa(config-if)# ip add 192.168.2.1 255.255.255.0
ciscoasa(config-if)#
However Im still not able to connect. Both 192.168.2.1 and 192.168.1.1 did not respond.
I then tried a reboot (turned the asa on/off).
It showed this error during boot:
ciscoasa> ERROR: Failed to apply IP address to interface Vlan2, as the network overlaps with interface Vlan1. Two interfaces cannot be in the same subnet.
It seems the IP change command for vlan1 was accepted - how can i read out current setting?
12-19-2011 02:10 PM
Hello Frank,
You did not save the changes so as soon as you rebooted the ASA it will go to the last configuration saved ( the one with the issue)
What do you mean you cannot connect from vlan 1 to vlan 2, do you have nat configured to accomplish that?
Can you share the configuration file with the changes I have asked you to make.
Regards,
Julio
12-19-2011 02:30 PM
If I need to save I did not. (I have not used the console before).
Found the: "write memory" and reload command.
I cant connect to the asa using ADSM-IDM Launcher (from PC connected to the inside lan).
It seems that the asa DHPC server does not work.
And: show running-config
ciscoasa# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
no ip address
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5085ad55b43198c7490b2edfee450906
: end
12-19-2011 03:08 PM
Hello Frank,
Please make the following changes and let me know the result:
no http 192.168.1.0 255.255.255.0 inside
no dhcp-client client-id interface outside
no dhcpd auto_config outside
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
Hope this helps.
Regards,
Julio
12-20-2011 12:45 PM
Hi Julio,
The ADSM-IDM Launcher is still unable to connect.
And the PC connected to the inside ports still dont get a IP from the asa.
show running-config:
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:050b5d46b0af856b0c016c5ea4b4f9b8
: end
12-20-2011 12:54 PM
Hello Frank,
For the DHCP to work:
dhcpd adresss 192.168.2.2 192.168.2.254 inside
dhcpd enable inside
dhcpd dns 4.2.2.2 interface inside
For the PC on the inside to be able to access ASDM
http 0 0 inside
Please rate helpful posts,
Julio
12-20-2011 01:03 PM
Thanks that did the magic. I now got a IP for the PC and the asa got a IP from my router.
Just for future references here are the working commands:
ciscoasa(config)# dhcpd address 192.168.2.2-192.168.2.254 inside
Warning, DHCP pool range is limited to 32 addresses, set address range as: 192.168.2.2-192.168.2.33
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# dhcpd dns 4.2.2.2 interface inside
ciscoasa(config)# http 0 0 inside
12-20-2011 01:20 PM
Hello Frank,
That is something great to hear.
Have a wonderful day,
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide