cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7925
Views
5
Helpful
66
Replies

DHCP issue On Cisco 3650

Hello,

We have a weird issue here with a 3650 switch. We have it configured to give out dhcp addresses below are the details:- 

Network:- 10.106.148.0 255.255.254.0 (/23)

default router: -10.106.148.2

Vlan 148:- ip:- 10.106.148.2 255.255.254.0

The issue is :- client who gets address assigned in the range of 148, works perfectly fine and can browse internet, but the clients who get's address assigned in the range of 10.106.149.0 cannot browse internet. Can you help?. 

66 Replies 66

You dont seems to have ACL specific for this network or it is inside an object. 

What about NAT? 

Packet tracer input INside tcp 10.106.149.5 1234 1.1.1.1 433 detail 

Share about of above 

sorry, can you explain this more and what needs to be done?

We need to check which acl or nat the traffic from .149 hit

ok. So I run this command on ASA?

 

Packet tracer input INside tcp 10.106.149.5 1234 1.1.1.1 433 detail

 

Then what?

Here is the NAT on ASA:- 

AQUA-ASA# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Aqua-Secuirty-Network Aqua-Secuirty-Network destination static Remote-Radisson-Network Remote-Radisson-Network no-proxy-arp route-lookup
translate_hits = 10064131, untranslate_hits = 12239536
2 (inside) to (outside) source static OBJ_10.106.0.0 OBJ_10.106.0.0 destination static OBJ_10.0.12.0 OBJ_10.0.12.0 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.30.0_26 NETWORK_OBJ_10.1.30.0_26 no-proxy-arp route-lookup
translate_hits = 2638, untranslate_hits = 3582

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static building_automation2 interface service tcp https https
translate_hits = 0, untranslate_hits = 7075
2 (inside) to (outside) source static building_automation_sys interface service tcp https https
translate_hits = 0, untranslate_hits = 1063
3 (inside) to (outside) source dynamic OBJ-NAT-ALL interface
translate_hits = 7272015, untranslate_hits = 134877

And the switch is connected direct to the Firewall?  OR there are others devices in between ?

direct

So  the 10.106.148.2 is one interface on Firewall?  

Maybe this can be a huge output but can you share the show xlate  ? 

10.106.148.2 is the vlan on core switch. how about sh tech?

show tech would be even bigger

Yes 10.106.148.2  this is the Core. But you have an interface on the firewall on this same network right? 

different vlan. 10.0.76.5

then you have something in between and you have route on the firewall

send the command  show route please and show ip add please

sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 50.220.188.2 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 50.220.188.2, outside
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.76.1, inside
C 10.0.76.0 255.255.255.0 is directly connected, inside
L 10.0.76.2 255.255.255.255 is directly connected, inside
S 10.106.1.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.50.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.51.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.92.0 255.255.255.0 [1/0] via 10.0.76.5, inside
S 10.106.148.0 255.255.254.0 [1/0] via 10.0.76.5, inside
S 10.110.0.0 255.255.255.0 [1/0] via 10.106.51.1, outside
C 50.220.188.0 255.255.255.252 is directly connected, outside
L 50.220.188.1 255.255.255.255 is directly connected, outside

 

 

sh ip address

 

AQUA-ASA# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 50.220.188.1 255.255.255.252 CONFIG
GigabitEthernet1/2 inside 10.0.76.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 50.220.188.1 255.255.255.252 CONFIG
GigabitEthernet1/2 inside 10.0.76.2 255.255.255.0 CONFIG
AQUA-ASA#

Is it possible to remove this Access group from this interface vlan for a moment and test? 

interface Vlan76
ip address 10.0.76.5 255.255.255.0
ip access-group 176 in