02-03-2021 07:10 AM
I recently got hired as a network admin at a small company. They have a single ASA5505 running 8.2(5) as the core layer 3 and DHCP server. The network also includes four layer2 switches that operator as unmanaged on vlan 1 ONLY. My employer is not interested in upgrading nor purchasing a later model ASA. The environment is currently running a flat network of 192.168.10.0/24. He wants the network to have multiple vlans to separate the clients per department.
My implementation:
1. I've already created all VLANs on all 4 of the switches (10, 20, 30)
2. I've created trunk links between the ports of the 4 switches
3. I've created the same VLANs on the ASA
int vlan 10
nameif inside-sales
security-level 100
ip address 10.0.10.1 255.255.255.0
no shut
int vlan 20
nameif inside-admin
security-level 100
ip add 10.0.20.1 255.255.255.0
no shut
int vlan 30
nameif inside-comms
security-level 100
ip add 10.0.30.1 255.255.255.0
no shut
same-security-traffic permit inter-interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x
int e0/0
nameif outside
security-level 0
switchport access vlan 2
int e0/1
switchport mode trunk
switchport trunk allowed vlan 1,2,10,20,30
dhcpd address 10.0.10.10-10.0.10.250 inside-sales
dhcpd dns x.x.x.x x.x.x.x interface inside-sales
dhcpd domain mydomain interface inside-sales
dhcpd option 3 ip 10.0.10.1 interface inside-sales
dhcpd enable inside-sales
dhcpd address 10.0.20.10-10.0.20.250 inside-admin
dhcpd dns x.x.x.x x.x.x.x interface inside-admin
dhcpd domain mydomain interface inside-admin
dhcpd option 3 ip 10.0.20.1 interface inside-admin
dhcpd enable inside-admin
dhcpd address 10.0.30.10-10.0.30.250 inside-comms
dhcpd dns x.x.x.x x.x.x.x interface inside-comms
dhcpd domain mydomain interface inside-comms
dhcpd option 3 ip 10.0.30.1 interface inside-comms
dhcpd enable inside-comms
FOr some reason, the PC's are not getting an IP address from the DHCP server nor do they have internet connectivity. What am I doing wrong.
Solved! Go to Solution.
02-04-2021 12:39 PM
Hey guy. I found the problem. It was the native vlan. On a switch / router the native vlan is default to vlan 1. BUT on a ASA 5505, once u setup a trunk link, u have to set a native vlan, other there will be no native vlan for trunk. The same thing applies for allowed vlans on the trunk.
02-03-2021 08:04 AM
Follow below guide helo you :
https://www.networkstraining.com/cisco-asa-dhcp-server-multiple-internal-lans/
02-03-2021 08:18 AM
This article is very good. but the asa 5505 is using switchports so I cannot create sub-interfaces as described in the article.
02-03-2021 08:37 AM
make accordingly suggested document. still not working, post switch and ASA config
02-03-2021 08:10 AM
your info does not mention the switchport connected to the ASA is configured as trunk -> please check
also check this port is not blocked by spanning-tree
02-03-2021 08:15 AM
Yes I forgot to mention but all switch are connected via trunk links and also the switch that is connected to the ASA is also a trunk link.
I am aware that on the ASA 5505 all the ports are switch ports. so I also have the inside port (e0/1) of the asa configured as a trunk as well.
02-03-2021 08:39 AM
Hello,
remove the allowed Vlans from the trunks (both on the ASA and the connecting switch):
ASA
int e0/1
--> switchport mode trunk
Switch
interface GigabitEthernet0/0
--> switchport mode trunk
What is the ASA connected to on the outside ? There is no Vlan 2 interface, and no NAT.
02-03-2021 08:52 AM
Thanks for the reply. I did as you suggested and removed the specified vlans but still not working.
I did exclude some of the configurations. like nat and the vlan 2 (outside/public interface) config. but I no these are working.
02-03-2021 08:55 AM
Hello,
ok. Is the link actually up/up on both sides ? What if you assign a static IP address to one of the clients, can that client than ping the Vlan interface ?
02-03-2021 09:06 AM
Check if the interface connected to the switch supports subinterfaces (I think you need the Security Plus license installed for that:
int e0/1.10
description inside-sales
vlan 10
nameif inside-sales
security-level 100
ip address 10.0.10.1 255.255.255.0
02-03-2021 09:42 AM
Thanks for the feedback. Yes the license is a Security plus. These 5505 does not not support sub-interfaces so I cannot use (e0/1.10). i would have to setup SVI's with a trunk link. but even that is not working.
02-03-2021 10:09 AM
Hello,
I wasn't sure if that ASA does or does not support subinterfaces...it does not apparently.
How about the static IP address on a client ? Does that work ?
02-03-2021 02:03 PM
@TrevilBaker5009 wrote:
They have a single ASA5505 running 8.2(5) as the core layer 3 and DHCP server.
Pay close attention to the Exploitation and Public Announcements section, which states:
The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory.
02-04-2021 12:39 PM
Hey guy. I found the problem. It was the native vlan. On a switch / router the native vlan is default to vlan 1. BUT on a ASA 5505, once u setup a trunk link, u have to set a native vlan, other there will be no native vlan for trunk. The same thing applies for allowed vlans on the trunk.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide