Solved: Re: what am I doing wrong with this configuration

TrevilBaker5009 · ‎02-03-2021

I recently got hired as a network admin at a small company. They have a single ASA5505 running 8.2(5) as the core layer 3 and DHCP server. The network also includes four layer2 switches that operator as unmanaged on vlan 1 ONLY. My employer is not interested in upgrading nor purchasing a later model ASA. The environment is currently running a flat network of 192.168.10.0/24. He wants the network to have multiple vlans to separate the clients per department.

My implementation:

1. I've already created all VLANs on all 4 of the switches (10, 20, 30)

2. I've created trunk links between the ports of the 4 switches

3. I've created the same VLANs on the ASA

int vlan 10

nameif inside-sales

security-level 100

ip address 10.0.10.1 255.255.255.0

no shut

int vlan 20

nameif inside-admin

security-level 100

ip add 10.0.20.1 255.255.255.0

no shut

int vlan 30

nameif inside-comms

security-level 100

ip add 10.0.30.1 255.255.255.0

no shut

same-security-traffic permit inter-interface

route outside 0.0.0.0 0.0.0.0 x.x.x.x

int e0/0

nameif outside

security-level 0

switchport access vlan 2

int e0/1

switchport mode trunk

switchport trunk allowed vlan 1,2,10,20,30

dhcpd address 10.0.10.10-10.0.10.250 inside-sales
dhcpd dns x.x.x.x x.x.x.x interface inside-sales
dhcpd domain mydomain interface inside-sales
dhcpd option 3 ip 10.0.10.1 interface inside-sales
dhcpd enable inside-sales

dhcpd address 10.0.20.10-10.0.20.250 inside-admin
dhcpd dns x.x.x.x x.x.x.x interface inside-admin
dhcpd domain mydomain interface inside-admin
dhcpd option 3 ip 10.0.20.1 interface inside-admin
dhcpd enable inside-admin

dhcpd address 10.0.30.10-10.0.30.250 inside-comms
dhcpd dns x.x.x.x x.x.x.x interface inside-comms
dhcpd domain mydomain interface inside-comms
dhcpd option 3 ip 10.0.30.1 interface inside-comms
dhcpd enable inside-comms

FOr some reason, the PC's are not getting an IP address from the DHCP server nor do they have internet connectivity. What am I doing wrong.

TrevilBaker5009 · ‎02-04-2021

Hey guy. I found the problem. It was the native vlan. On a switch / router the native vlan is default to vlan 1. BUT on a ASA 5505, once u setup a trunk link, u have to set a native vlan, other there will be no native vlan for trunk. The same thing applies for allowed vlans on the trunk.

View solution in original post

balaji.bandi · ‎02-03-2021

Follow below guide helo you :

https://www.networkstraining.com/cisco-asa-dhcp-server-multiple-internal-lans/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TrevilBaker5009 · ‎02-03-2021

This article is very good. but the asa 5505 is using switchports so I cannot create sub-interfaces as described in the article.

balaji.bandi · ‎02-03-2021

make accordingly suggested document. still not working, post switch and ASA config

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pieterh · ‎02-03-2021

your info does not mention the switchport connected to the ASA is configured as trunk -> please check
also check this port is not blocked by spanning-tree

TrevilBaker5009 · ‎02-03-2021

Yes I forgot to mention but all switch are connected via trunk links and also the switch that is connected to the ASA is also a trunk link.

I am aware that on the ASA 5505 all the ports are switch ports. so I also have the inside port (e0/1) of the asa configured as a trunk as well.

Georg Pauwen · ‎02-03-2021

Hello,

remove the allowed Vlans from the trunks (both on the ASA and the connecting switch):

ASA

int e0/1
--> switchport mode trunk

Switch

interface GigabitEthernet0/0

--> switchport mode trunk

What is the ASA connected to on the outside ? There is no Vlan 2 interface, and no NAT.

TrevilBaker5009 · ‎02-03-2021

Thanks for the reply. I did as you suggested and removed the specified vlans but still not working.

I did exclude some of the configurations. like nat and the vlan 2 (outside/public interface) config. but I no these are working.

Georg Pauwen · ‎02-03-2021

Hello,

ok. Is the link actually up/up on both sides ? What if you assign a static IP address to one of the clients, can that client than ping the Vlan interface ?

Georg Pauwen · ‎02-03-2021

Check if the interface connected to the switch supports subinterfaces (I think you need the Security Plus license installed for that:

int e0/1.10
description inside-sales
vlan 10
nameif inside-sales
security-level 100
ip address 10.0.10.1 255.255.255.0

TrevilBaker5009 · ‎02-03-2021

Thanks for the feedback. Yes the license is a Security plus. These 5505 does not not support sub-interfaces so I cannot use (e0/1.10). i would have to setup SVI's with a trunk link. but even that is not working.

Georg Pauwen · ‎02-03-2021

Hello,

I wasn't sure if that ASA does or does not support subinterfaces...it does not apparently.

How about the static IP address on a client ? Does that work ?

Leo Laohoo · ‎02-03-2021

@TrevilBaker5009 wrote:

They have a single ASA5505 running 8.2(5) as the core layer 3 and DHCP server.

Please read Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability.

Pay close attention to the Exploitation and Public Announcements section, which states:

The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory.

TrevilBaker5009 · ‎02-04-2021

Hey guy. I found the problem. It was the native vlan. On a switch / router the native vlan is default to vlan 1. BUT on a ASA 5505, once u setup a trunk link, u have to set a native vlan, other there will be no native vlan for trunk. The same thing applies for allowed vlans on the trunk.