Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
193
Views
0
Helpful
1
Replies

DHCP won't work on an internal network enabled by static nat

Y W
Level 1
Level 1

‎06-24-2017 07:37 PM - edited ‎03-12-2019 02:37 AM

Hi All,

I am running into a very wierd behavior.

I have 2 internal networks (inside, dmz) that I used static nat in order to get data to flow between the two networks.

but whenever the static nat is applied, the hosts on the dmz side seems not able to acquire an ip address from the asa5505

the ones that already have an ip will work fine. 

this issue does not affect the hosts in the inside network. 

no i am not anywhere near the host limit of asa5505

the minute i took out the static mapping the dmz will resume to get the ip address. 

here is a sudo code of the configuration. 

thanks you in advance.

 basemodel ASA5505

show local-host is less than 6 hosts

using 8.2.5(59) //sorry i am not a big fan of 8.3+ that deprecated the nat and global command.

I have inside, dmz, outside 3 vlan being used. 

inside ip add 10.0.INS.1 

/24

security-level 100

e0/1-e0/3 switchport access this vlan

dmz ip add 10.0.DMZ.1

/24

security-level 50

no forward int vlan 1

e0/5-6 switchport access this vlan

e5 is attached to a wifi ap that basically just airborns the network. 

e6 was used to test hardwire connection without wifi. same results

outside ip add 4.4.OUT.1

public ip static ip address

e0/0 switchport access this vlan

PAT out to the internet

nat (inside) 10 10.0.INS.0 /24

nat (dmz) 10 10.0.DMZ.0 /24

global (outside) 10 interface

couple of ports forwarded to an DMZ host 

static (dmz,outside) tcp interface 8000 10.0.DMZ.100 8000 netmask /32

access-list NAME extended permit tcp any interface outside eq 8000

access-group NAME in interface outside

DHCP the network
dhcpd address 10.0.INS.100-10.0.INS.130 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside

dhcpd address 10.0.DMZ.100-10.0.DMZ.130 dmz
dhcpd dns 4.2.2.2 8.8.8.8 interface dmz
dhcpd enable dmz

I wanted the inside to have one way traffic to the dmz hosts, but dmz hosts can not initiate traffic to inside.

static (inside,dmz) 10.0.DMZ.0 10.0.INS.0 netmask /24

I

after the above statement was put in the DHCP in the DMZ will just cease to function.

the minute I take it away thing will work again.

Can anyone let me know why?

Thanks in advance. 

Labels:
0 Helpful
1 Reply 1

Spooster IT Services
Level 7
Level 7

‎06-27-2017 06:47 AM

You need to put another nat statement from dmz to inside.

 static (dmz,inside) 10.0.INS.0 10.0.DMZ.0 netmask /24

Spooster IT Services Team
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card