cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
603
Views
0
Helpful
7
Replies

GigabitEthernet1/2.2 DHCP not configuring clients

Hi Guys,

 

Would greatly appreciate your help on this, so I have configured a new sub interface ob Vlan 20

and only need DHCP for these clients. problem is that no DHCP is reaching any clients.

if i configure a static IP on one of the clients I can ping the gateway on this Vlan 192.168.200.1 and I can access the internet 

so it seems to me that only DHCP is not working, below is my running-config for this router

 

cisco# show running-config
: Saved

:
: Serial Number: *********
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.10(1)
!
hostname cisco
domain-name lfec.local
enable password ***** pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
ip local pool MOBILE_VPN_POOL *.*.*.*-*.*.*.* mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/2.2
description Guest WiFi
vlan 20
nameif insideGuest
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif ISP2
security-level 0
ip address dhcp setroute
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner motd ******************************************************************************
banner motd You are entering a restricted network device. This communication constitutes
banner motd an electronic communication within the scope of the Electronic Communication
banner motd Privacy Act, 18 USCA 2510. The unlawful interception, use, or disclosure of
banner motd such information is strictly prohibited under 18 USCA 2511 and any applicable
banner motd laws. Violators will be prosecuted to the fullest extent of the law.
banner motd ******************************************************************************
boot system disk0:/asa9101-lfbff-k8.SPA
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name lfec.local
object service OUTSIDE_TCP_81
service tcp source eq 81
object service INSIDE_TCP_81
service tcp source eq 81
object service OUTSIDE_UDP_81
service udp source eq 81
object service INSIDE_UDP_81
service udp source eq 81
object service OUTSIDE_TCP_37777
service tcp source eq 37777
object service INSIDE_TCP_37777
service tcp source eq 37777
object service OUTSIDE_UDP_37777
service udp source eq 37777
object service INSIDE_UDP_37777
service udp source eq 37777
object network INSIDE_SERVER_DVR
host 10.10.10.108
object network INSIDE_NETWORK
subnet 10.10.10.0 255.255.255.0
object network MOBILE_VPN_POOL
subnet *.*.*.* 255.255.255.0
object network OUTSIDE_OFFICE
subnet 10.10.20.0 255.255.255.0
object network NEC-Phone
host 10.10.10.107
object service OUTSIDE_TCP_10443
service tcp source eq 10443
object service INSIDE_TCP_10443
service tcp source eq 10443
object service OUYSIDE_TCP_8000
service tcp source eq 8000
object service INSIDE_TCP_8000
service tcp source eq 8000
object network insideGuest
subnet 192.168.200.0 255.255.255.0
access-list OUTSIDE_ACCESS_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_ACCESS_IN extended permit icmp any any unreachable
access-list OUTSIDE_ACCESS_IN extended permit tcp any object INSIDE_SERVER_DVR eq 81
access-list OUTSIDE_ACCESS_IN extended permit udp any object INSIDE_SERVER_DVR eq 81
access-list OUTSIDE_ACCESS_IN extended permit tcp any object INSIDE_SERVER_DVR eq 37777
access-list OUTSIDE_ACCESS_IN extended permit udp any object INSIDE_SERVER_DVR eq 37777
access-list OUTSIDE_ACCESS_IN extended permit tcp any object NEC-Phone eq 10443
access-list OUTSIDE_ACCESS_IN extended permit tcp any object NEC-Phone eq 8000
access-list MOBILE_VPN_SPLIT_TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list LWR2PARRISH extended permit ip object INSIDE_NETWORK object OUTSIDE_OFFICE
access-list ACL_QOS_DATA_PRIORITY1 extended permit ip host 10.10.10.5 any
access-list outside_cryptomap_1 extended permit ip object INSIDE_NETWORK object OUTSIDE_OFFICE
access-list outside_cryptomap extended permit ip object INSIDE_NETWORK object OUTSIDE_OFFICE
pager lines 24
logging enable
logging timestamp
logging buffer-size 52428800
logging buffered notifications
logging asdm informational
flow-export destination inside 10.10.10.5 2055
flow-export template timeout-rate 15
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu ISP2 1500
mtu insideGuest 1500
no failover
no monitor-interface insideGuest
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_TCP_81 INSIDE_TCP_81
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_UDP_81 INSIDE_UDP_81
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_TCP_37777 INSIDE_TCP_37777
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_UDP_37777 INSIDE_UDP_37777
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static MOBILE_VPN_POOL MOBILE_VPN_POOL
nat (inside,outside) source static NEC-Phone interface service OUTSIDE_TCP_10443 INSIDE_TCP_10443
nat (inside,outside) source static NEC-Phone interface service OUYSIDE_TCP_8000 INSIDE_TCP_8000
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static OUTSIDE_OFFICE OUTSIDE_OFFICE no-proxy-arp route-lookup
!
object network INSIDE_NETWORK
nat (inside,outside) dynamic interface
object network insideGuest
nat (insideGuest,outside) dynamic interface
!
nat (inside,ISP2) after-auto source dynamic INSIDE_NETWORK interface
access-group OUTSIDE_ACCESS_IN in interface outside
access-group OUTSIDE_ACCESS_IN in interface ISP2
route outside 0.0.0.0 0.0.0.0 *.*.*.* track 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.10.10.5 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
sla monitor 1
type echo protocol ipIcmpEcho 9.9.9.9 interface outside
timeout 3000
frequency 20
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map DYNAMIC_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNAMIC_MAP 65535 set security-association lifetime seconds 86400
crypto map OUTSIDE_MAP 1 match address outside_cryptomap_1
crypto map OUTSIDE_MAP 1 set peer *.*.*.*
crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_MAP 2 match address outside_cryptomap
crypto map OUTSIDE_MAP 2 set peer *.*.*.*
crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_MAP 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_MAP 10 match address LWR2PARRISH
crypto map OUTSIDE_MAP 10 set pfs
crypto map OUTSIDE_MAP 10 set peer *.*.*.*
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic DYNAMIC_MAP
crypto map OUTSIDE_MAP interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 ISP2
ssh timeout 30
ssh version 2
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0

!
dhcpd address 192.168.200.2-192.168.200.254 insideGuest
dhcpd dns 8.8.8.8 interface insideGuest
dhcpd lease 36000 interface insideGuest
dhcpd domain guest interface insideGuest
dhcpd enable insideGuest
!
dhcprelay timeout 60
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_*.*.*.* internal
group-policy GroupPolicy_*.*.*.* attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MOBILE_VPN_SPLIT_TUNNEL
address-pools value MOBILE_VPN_POOL
dynamic-access-policy-record DfltAccessPolicy
username mike password ***** pbkdf2 privilege 15
username cisco password ***** pbkdf2 privilege 15
tunnel-group TG_ANYCONNECT type remote-access
tunnel-group TG_ANYCONNECT general-attributes
address-pool MOBILE_VPN_POOL
default-group-policy GP_ANYCONNECT
tunnel-group TG_ANYCONNECT webvpn-attributes
group-alias VPN enable
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
class flow_export_class
flow-export event-type all destination 10.10.10.5
class class-default
set connection decrement-ttl
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:*********************************
: end

1 Accepted Solution

Accepted Solutions

Hello,

 

try to add the access list below:


access-list insideGuest_access_in extended permit ip any any

access-group insideGuest_access_in in interface insideGuest

 

Also, you might need:


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

View solution in original post

7 Replies 7

your dhcpd-config looks good to me. Are you running something like dhcp-snooping on the switch between the ASA and the client? If that is misconfigured, your dhcp-packets could get dropped. If yes, make sure that the interface to the ASA is configured as trusted.

 

Hi Karsten,

 

Thanks for your reply, no there is no dhcp-snooping and dhcp works from the server to the clients via the same switch

This is the error from running the diagnostics packet capture: 0.0.0.0.68 > 255.255.255.255.67: udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule. 

Hello,

 

try to add the access list below:


access-list insideGuest_access_in extended permit ip any any

access-group insideGuest_access_in in interface insideGuest

 

Also, you might need:


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Worked, Thank you Georg!

I would also update to a more recent firmware. All the X.Y(1) releases were never really famous ...

I am interested in the comment that DHCP works to clients on the same switch. We see only a single dhcp scope. Please help us understand better what does work and what does not work. 

HTH

Rick

Thanks for your response Richard, yeah DHCP from the server (windows server) provides DHCP to the rest of the network just fine. Georg Pauwen's suggestion solved the issue!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco