DHCP Not Working Issue - Cisco ASA 5520

kristian_d · ‎01-18-2012

Hi Guys,

I have abit of an odd problem and a rather complex odd network however im going to make it as simple as possible just incase this is an easy fix.

I have two IP Ranges in our network

192.168.0.0 for servers (statically assigned)

10.0.0.0 for client PC's (statically assigned)

I have setup a DHCP Server and a small test range of free 10.0.0.0 addresses (its about 8 in total) on our domain controller that is on ip 10.0.0.4 I am plugging a thin client into the network and it happily gets a DHCP Address from the pool and everyone is happy.

However i have now removed that small test range from the DHCP Server and replaced it with a 172.20.10.0/24 range, but now the thin client is no longer able to get an IP address.

am i correct in thinking that because the firewall is only interested in traffic from the 10 & 192 address ranges (these are the only ones configured on its interfaces) its doing something to stop the thin client from getting an address, or blocking/dropping the traffic?

Im really not that clued up with the cisco equipment or how it works, im being promised training in the next few weeks / months but nothing has materialised yet. so im hoping until then someone here can help me out.

P.S. please do not request a copy of the firewalls config as for security im not able to provide it.

Kris

sleepyshark · ‎01-18-2012

How are you seperating your subnets? If your server is on 10.x.x.x network and you're trying to assign a 172.x.x.x network, you'll need to be able to route between. If your server does not have a secondary IP address on the 172.x.x.x network *OR* you do not have a route statement in the ASA to get to the 172.x.x.x network you're not going to be able to accomplish what you're looking for.

A good tip here: I understand what you're wanting to do, what i'd suggest to do is to create a VLANs for the 192.168.x.x, 172.x.x.x and 10.x.x.x networks in your ASA, assign each piece of network equipment (servers vs workstations) to their associated VLAN then add an ip-helper address to the VLAN config which will relay DHCP requests to the server on the 10.x.x.x network... This setup will give you the greatest flexibility to limit/firewall traffic between subnets/VLANs

Thanks,

Sean Brown

http://www.sleepyshark.com

(please rate this post if useful)

kristian_d · ‎01-18-2012

Hi Sean,

for want of a better description all the clients on the 10.x.x.x network and servers on the 192.x.x.x network are plugged into one 3com switch (its only a layer 2 switch if that helps). the firewalls 10.x.x.x interface and 192.x.x.x interfaces are also plugged into the same switch.

the 10.x.x.x systems are given a gateway of 10.0.0.60 which is the ip of the firewall on the 10 interface and the servers are given a gateway of 192.168.0.1 which again is the ip of the firewalls 192 interface.

I have just recently added a second ip address onto the domain controller that is also acting as the DHCP server so it has two addresses 10.0.0.4 and 172.20.10.1 (i was not aware that a dhcp server would not give addresses out on an interface that did not have an ip in the dhcp range).

however this has made no difference in the thin client getting an IP Address.

I appreciate the suggestion on how we should go about getting this done on the ASA but sadly we have a very "interesting" network setup and the ASA has been configured to match the config of the previous firewall we had, making the changes you suggested would no doubt generate a lot of problems for our legacy systems, however i do appreciate the suggestion and will mention it to our IT Manager to see what can be done to impliment it.

sleepyshark · ‎01-18-2012

Are you using a seconday (logical) IP address from ONE NIC card or assigning a new IP address to a secondary NIC?

Also, in DHCP you'll need to bind DHCP (assuming it MSFT DHCP) to the 172.x.x.x NIC and not the 10.x.x.x nic.

(Scratching my head)... So what you're saying is you have a large layer-2 network and you have multiple subnets not logically/physically seperated??????? I'm going to assume that all of the 10.x.x.x machines are statically assigned??? If not, you cannot have two DHCP servers on one L2 network handing out IP's from different subnets (well technically you CAN, but you wouldn't want to)....

This is also going to get into a LOT of firewall problems with traffic being tagged as "spoofing" because the LAN interface is expecting traffic from only one subnet.... a secondary subnet should be on a different physical/logical interface....

I'd definitely schedule a time with the IT Manager to discuss the network mess....

kristian_d · ‎01-18-2012

There is only one card in the Domain Controller and that presently has two addresses assigned to it, the 10.0.0.4 address which has been setup on the TCP/IP 4 properties page and then in the advanced section of this page I have added the secondary address of 172.20.10.1.

all of the 10.0.0.0 addresses and the 192.168.0.0 addresses are statically assigned, this is my first venture into DHCP and its not going well

The original DHCP Range i setup was a test of 8 addresses taken from the 10.0.0.0 static addresses to ensure i had the DHCP server working correctly and it would give out addresses, however now that i have removed that range and added in the final range (172.20.10.0) its no longer working.