Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
0
Helpful
4
Replies

PC not getting IP in transparent ASA

Go to solution
mahesh18
Level 6
Level 6

‎06-02-2013 08:12 AM - edited ‎03-11-2019 06:52 PM

Hi everyone,

ASA 505 is connected to layer 3 switch.

ASA is in transparent mode.

Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.

PC connected to transparent switch  is not able to get the IP address from layer switch.

I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.

When i assign static IP to PC connected to port eth0/1 of ASA  it works fine.

ciscoasa# sh run

: Saved

:

ASA Version 9.1(1)

!

firewall transparent

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 13

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

no nameif

no security-level

!

interface Vlan13

nameif inside

bridge-group 1

security-level 100

!

interface Vlan20

nameif Outside

bridge-group 1

security-level 0

!

interface BVI1

ip address 192.168.20.59 255.255.255.0

!

boot system disk0:/asa911-k8.bin

ftp mode passive

object network Broadcast

host 255.255.255.255

object network Dhcp-Server

host 192.168.20.3

access-list inside_access_in extended permit ip any any

access-list Outside_access_in extended permit udp object Dhcp-Server object Broa

dcast eq bootpc log

access-list inside_access_in_1 extended permit ip any any

pager lines 24

mtu Outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group Outside_access_in in interface Outside

access-group inside_access_in_1 in interface inside

route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a

: end

ciscoasa#                                                                     $

ciscoasa#

Thanks

mahesh

Message was edited by: mahesh parmar

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-02-2013 09:37 AM

Hi,

Try these changes

interface Vlan20

security-level 100

same-security-traffic permit inter-interface

access-list OUTSIDE-IN permit icmp host any echo

access-list OUTSIDE-IN permit udp any host 255.255.255.255 eq bootpc

access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc

no access-group Outside_access_in in interface Outside

access-group OUTSIDE-IN in interface outside

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-02-2013 10:31 AM

Hi,

Even though the "inspect icmp" is configured on the ASA it still doesnt mean that you dont need ACLs to allow the initial ICMP messages. If we have an ACL on the "outside" interface and have not allowed ICMP then it naturally would get blocked by the ACL even though we had "inspect icmp" allowed.

The DHCP server might use ICMP so we allow it from the direction of the DHCP server.

The other ACL line allows DHCP ACK messages to get through from the DHCP server to the Client PC (which address might be something from the 192.168.20.0/24 network)

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-02-2013 09:37 AM

Hi,

Try these changes

interface Vlan20

security-level 100

same-security-traffic permit inter-interface

access-list OUTSIDE-IN permit icmp host any echo

access-list OUTSIDE-IN permit udp any host 255.255.255.255 eq bootpc

access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc

no access-group Outside_access_in in interface Outside

access-group OUTSIDE-IN in interface outside

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎06-02-2013 10:18 AM

Hi Jouni,

It worked great as always.

I got this ASA Security plus license few days back so trying to learn some concepts in home lab.

Need to undertsand the reason for these 2 ACL

1>access-list OUTSIDE-IN permit icmp host any echo

i already have ICMP under global policy so why we use the above ACL?

Also this ACL has hit counts to 0

2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?

access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc

This ACL has also hit count to 0

Thanks

mahesh

Message was edited by: mahesh parmar

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-02-2013 10:31 AM

Hi,

Even though the "inspect icmp" is configured on the ASA it still doesnt mean that you dont need ACLs to allow the initial ICMP messages. If we have an ACL on the "outside" interface and have not allowed ICMP then it naturally would get blocked by the ACL even though we had "inspect icmp" allowed.

The DHCP server might use ICMP so we allow it from the direction of the DHCP server.

The other ACL line allows DHCP ACK messages to get through from the DHCP server to the Client PC (which address might be something from the 192.168.20.0/24 network)

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎06-02-2013 11:48 AM

Hi Jouni,

i tested this

i removed the ACL

1>access-list OUTSIDE-IN permit icmp host any echo

Rebooted the ASA  and PC.

PC gets the IP from the switch and its works fine.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card