04-20-2012 08:25 AM - edited 03-11-2019 03:56 PM
I have a 1921 k9 router that has several DHCP pools configured. Before implementing the firewall they were all working. After implementing it they stopped working. I messed around and got the routed port GE0/1 handing out IP addresses and left it alone. Somehow it quit handing out IP addresses yesterday. I am not experienced with routers I sort had this dumped on me. I dont know if its a quick fix or not (getting DHCP working on the interfaces) but if not someone could just link me to an article that will walk me through getting DHCP working on all of the interfaces it would be awsome.
Building configuration...
Current configuration : 18882 bytes
!
! Last configuration change at 10:05:36 NewYork Fri Apr 20 2012 by dave
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Bulldog
!
boot-start-marker
boot system usbflash0:c1900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.5.1 192.168.5.24
ip dhcp excluded-address 192.168.101.1 192.168.101.10
ip dhcp excluded-address 192.168.100.1 192.168.100.2
ip dhcp excluded-address 192.168.25.1 192.168.25.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.10 192.168.1.254
!
ip dhcp pool Noc
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.1.1
!
ip dhcp pool MGMT
network 192.168.101.0 255.255.255.240
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.101.1
!
ip dhcp pool VDI
network 192.168.100.0 255.255.255.0
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.100.1
!
ip dhcp pool App-Servers
network 192.168.25.0 255.255.255.240
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.25.1
!
ip dhcp pool Ext-Servers
network 192.168.10.0 255.255.255.240
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.10.1
!
ip dhcp pool Int-Server
network 192.168.5.0 255.255.255.240
dns-server 192.168.1.6 192.168.1.3
default-router 192.168.5.1
!
!
ip name-server 192.168.1.6
ip name-server 192.168.1.3
ip port-map kerberos port udp 88
ip port-map user-ldap port udp 389
ip port-map user-SOAP port tcp 9389
ip port-map user-DFSR port tcp 5722
ip port-map user-WINS port tcp 42
ip port-map user-GlobalCatalog port tcp from 3268 to 3269
ip port-map user-NetBiosNR port tcp 137 description NetBios Name Resolution
ip port-map user-RemoteDesktop port tcp 3389 description MS RDP
ip port-map user-SMB port tcp 445
ip port-map user-RPC port tcp from 49152 to 65535
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4227729276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4227729276
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-4227729276
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323237 37323932 3736301E 170D3132 30343139 32313430
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323737
32393237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD97 9407A326 2B2C5E3E 1BEE848C 9DBA6E5E 359E481A 125294BA 19CCF853
7CEE2B90 58275061 CAD3EEB6 F89CB220 15343AE9 B1BAF818 C94D3036 568EF9F8
4280497F D1C3579F B8D2AB67 F523FE6A E651DC48 C60E85FC 5361997C 77ACF34A
F344A000 5E8CDBC9 AB557E60 FC456A08 35B252AC C4CAD14C 181EB7AC AE75CA50
7A9D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1483B6F0 CE5D321D CBA30EF9 A22617C3 04676E73 4C301D06
03551D0E 04160414 83B6F0CE 5D321DCB A30EF9A2 2617C304 676E734C 300D0609
2A864886 F70D0101 04050003 8181004C AC280AE7 1FE34052 37E59476 48DB23CD
F1DF2A58 7531AFCC D561BA75 AA144DB0 6A506241 71CCE4A0 AD8156B8 CDDE9105
1C0C01DD 1F01B34C E77A7F61 EFC498BA DDF36F0B 578317F4 812D03C9 68462859
9BDE3860 DC977751 643741A8 AB8D176A D0ED61B0 32E4215A 8B292386 293B9336
77629DBF 8D970388 A0FD0F77 32E6FF
quit
license udi pid CISCO1921/K9 sn FTX1448Y05L
!
!
!
redundancy
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any LANMan
description LAN Management
match protocol https
match protocol icmp
match protocol ssh
match protocol bootps
match protocol bootpc
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any DesktopAdmin
description Desktop Administrator Services
match protocol http
match protocol https
match protocol icmp
match protocol snmp
match protocol ssh
match protocol user-RemoteDesktop
class-map type inspect match-any user-ldap
match protocol user-ldap
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any DomainTrafficUDP
description UDP Traffic
match protocol user-ldap
match protocol netbios-ns
match protocol kerberos
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any DomainServerTraffic
description Server Ports
match protocol dns
match protocol ntp
match protocol msrpc
match protocol netbios-dgm
match protocol user-RPC
match protocol user-GlobalCatalog
match protocol user-SMB
match protocol user-DFSR
match protocol ldap
match protocol ldaps
match protocol smtp
match protocol user-WINS
match protocol user-NetBiosNR
match protocol user-SOAP
match protocol netbios-ssn
match protocol microsoft-ds
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-dmz-protocols
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class class-default
drop log
policy-map type inspect LANMgmt
class type inspect LANMan
inspect
class class-default
drop log
policy-map type inspect DomainServices-Inspect
class type inspect DomainTrafficUDP
inspect
class type inspect DomainServerTraffic
inspect
class class-default
drop log
policy-map type inspect DesktopServices
description Remote Access and Desktop diag
class type inspect DesktopAdmin
inspect
class class-default
drop log
!
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security LAN
zone security INT-Servers
zone security App-Servers
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security In-LAN source in-zone destination LAN
service-policy type inspect LANMgmt
zone-pair security INTServers-Out source INT-Servers destination out-zone
service-policy type inspect ccp-inspect
zone-pair security INZone-zp-INT-Servers source in-zone destination INT-Servers
service-policy type inspect DesktopServices
zone-pair security INTServers-zp-InZone source INT-Servers destination in-zone
service-policy type inspect DomainServices-Inspect
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description NOC Link$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
switchport mode trunk
!
interface GigabitEthernet0/0/1
switchport mode trunk
!
interface GigabitEthernet0/0/2
switchport mode trunk
!
interface GigabitEthernet0/0/3
switchport mode trunk
!
interface Vlan1
description $MGMT$
ip address 192.168.101.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Vlan5
description $Int-Servers$
ip address 192.168.5.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INT-Servers
!
interface Vlan10
description $Ext-Servers$$FW_DMZ$
ip address 192.168.10.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
!
interface Vlan25
description $App-Servers$
ip address 192.168.25.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security App-Servers
!
interface Vlan100
description $Usr-Desktops$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http access-class 4
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 3 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SwitchToDNS
remark CCP_ACL Category=128
permit ip host 192.168.101.2 host 192.168.1.3
permit ip host 192.168.101.2 host 192.168.1.6
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.10.2
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.100.0 0.0.0.255
access-list 3 permit 192.168.101.0 0.0.0.15
access-list 3 permit 192.168.5.0 0.0.0.15
access-list 3 permit 192.168.10.0 0.0.0.15
access-list 3 permit 192.168.25.0 0.0.0.15
access-list 4 remark Auto generated by SDM Management Access feature
access-list 4 remark CCP_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 100 permit udp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 100 deny tcp any host 192.168.1.1 eq telnet
access-list 100 deny tcp any host 192.168.1.1 eq 22
access-list 100 deny tcp any host 192.168.1.1 eq www
access-list 100 deny tcp any host 192.168.1.1 eq 443
access-list 100 deny tcp any host 192.168.1.1 eq cmd
access-list 100 deny udp any host 192.168.1.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 192.168.10.0 0.0.0.15 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 102 in
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 101 in
privilege level 15
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 208.66.175.36 prefer source GigabitEthernet0/0
ntp server 64.90.182.55 prefer source GigabitEthernet0/0
ntp server 96.47.67.105 prefer source GigabitEthernet0/0
end
Solved! Go to Solution.
04-22-2012 08:13 AM
I think i may have missunderstood your problem...
Is it just the clients connected to th G0/1 interface that doesn't receive an IP address through DHCP but the clients connected to G0/0/0 - 3 gets IP addresses?
In that case, do this:
no ip dhcp excluded-address 192.168.1.10 192.168.1.254
04-21-2012 10:57 AM
I can help you but I'm gonna make som big changes to the config because this config i fu**ed up
First question: Is there a specific reason why you use vlan-interfaces or is it OK if I tell you to use sub-interfaces?
04-21-2012 12:52 PM
I dont mind changing the config. This is my 1st time setting up a cisco router. The reason I used the vlan-interfaces is because that was the first way I figured out how to get VLANs running on the router.
04-21-2012 03:34 PM
Ok, good.
I guess the G0/1 interface is connected to a switch?
For a configuration with subinterfaces the interface of the switch connected to the router have to be in trunk mode, if it not already is.
But its really late here so I will go to bed and help you out tomorrow.
04-22-2012 03:56 AM
Ok I attached a simple config that will work (hopefully ).
I've made it pretty simple and just used three zones: inside, outside and dmz. Before you had one zone for every interface. I don't know if it has to be that way in your case, but I can help you to configure that if you want it.
The old config had alot of windows server protocols in its inspection-rules that is now removed, but it would be more secure to have it, but then you would need more zones, you can probably play around in SDM/CCP to get it back.
I removed the IP address on the physical interface (G0/1) and put it on the G0/1.2 subinterface, it does not belong to a VLAN, because the servers that was on that subnet before didn't belong to one (I think), so I didn't want to make too big of a hazzle for you.
It uses sub-interfaces so the link between the switch and this router has to be trunked.
Any questions, just ask. I probably missed something
04-22-2012 08:13 AM
I think i may have missunderstood your problem...
Is it just the clients connected to th G0/1 interface that doesn't receive an IP address through DHCP but the clients connected to G0/0/0 - 3 gets IP addresses?
In that case, do this:
no ip dhcp excluded-address 192.168.1.10 192.168.1.254
04-23-2012 01:03 PM
I sent you a PM. I loaded the config but it has made the router unuseable. None of the interfaces work either via DHCP or static IP address and I am unable to connect to the router via SSH from 192.168.1.0 (GE0/1) I am in the process of reloading the old config I have never had to restore via a config via the CLI before. Hopefully finding the process will be easier than getting a usb console connection working (device manager keep installing the virtual console interface wrong) I eventually had to go buy a serial cable and connect via that. I would still like to use the sub interfaces if possible.
04-23-2012 02:20 PM
Shit, I knew I should have deleted by earlier post, because in my second post I posted what I think was the solution to your problem
04-23-2012 02:23 PM
If you connect directly to the router with an cross-over cable with an IP address on your computer of 192.168.1.2/24 it should work for you to connect to it via the GUI.
04-24-2012 09:41 AM
Alright I have a cross over cable I will use it next time. What exactly do you mean your second post? Are you talking about this line
no ip dhcp excluded-address 192.168.1.10 192.168.1.254
I went ahead and restored to an earlier version of the config. I am going to try and take some of your advice by shutting down vlan1 and implementing sub interfaces.
04-24-2012 10:41 AM
Look at the PM I sent you before you do something.
"no ip dhcp excluded-address 192.168.1.10 192.168.1.254" Should have fixed your problems without changing the whole config. Sorry for that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: