conflicting information - dhcpd auto_config outside
My minor project to check and fix configuration problems or inconsistencies has grown to major proportions. I've gotten past the transform-set questions and a few other odds and ends through comparing our ASA5505 configurations with each other and researching what wasn't consistent, or that didn't make sense. Most of the time the answer is there, and multiple resources "agree" on it. But one has me perplexed as I still am unable to find an authoritative source say once and for all - use it under these conditions, otherwise do NOT use it. That line is this - dhcpd auto_config outside I started to believe that if your outside interface was configured via DHCP - say your ISP didn't furnish a static address but you got a reserved address or even a dynamic address via DHCP, you didn't get to set a route outside, but passed that info to the inside via the command dhcpd auto_config outside. One person hinted in his response to another person 2 or 3 years ago in another forum "check your ASA's outside interface and if you receive the outside address via DHCP then the ASA is using that line to pass the routing information along that it received through the DHCP assignment". Well that made sense to me - as if it's a static address and you know the ISPs gateway, you can set up the info via route outside 0.0.0.0 etc - what I call the zero-zero route - if all else fails, go here. He stopped short of telling the fellow "if your ASA has a static address assigned to the outside interface it's not using the dhcpd auto_config outside". I have just looked at some 3rd party "how to" pages, including a tutorial from a school - and ALL of their ASA configurations, every one of them, DHCP assigned OUTSIDE address or STATIC OUTSIDE addresses where they used the 0-0 route outside, used that same command.
So, my question is this: * If you have a STATIC address assigned through your ISP to your outside interface, and you have a route outside 0-0 with the ISP gateway address, do you need the line/command dhcpd auto_config outside ??
* If your outside interface receives the IP address from the ISP via DHCP, be it reserved or true DHCP where it also receives the gateway, etc. through that DHCP server of your ISP - May I assume that you DO need that dhcpd auto_config outside command - Correct?
I'm finding a lot of inconsistencies in our ASA configurations - and I have 20 to go to check out! Some are just plain missing configuration parts, others have a lot of extra stuff left from years ago - or from os updates/upgrades, and some so far make little sense. One example was some of our ASAs have the lines dns domain-lookup inside dns server-group DefaultDNS
but no name server addresses or anything else. Another has the dns server-group DefaultDNS but no domain-lookup line at all, and seems to be missing some other things. Granted that's unlikely to impact our inside users - but it's messy at the very least, and means each one is different.
I'm looking for an answer on the dhcpd auto config thing too. The only thing I can really add here is if you do have a dynamic IP from the ISP it will get a default route if you use the command "ip address dhcp setroute" in interface vlan config.
Cisco Champion Radio · S7|E37 Business Resiliency for your Workforce and Workplace
Today, organizations are facing changes so large, so fast, and so many—seeing acceleration of already established trends as well as unprecedented disruption—that’s making ...
Hello,i have a N5k-k5548up-af and i have a acl for trusted network which is attached to line vty and to my uplinks interface, and i have around 250 interface vlan and my interface vlans can reach bgp port or snmp port, is there nayway that tune copp to pe...
This event had place on Tuesday 22nd, Septemberat 10hrs PDT
Omar Santos is an active member of the cyber security community, where he leads several industry-wide initiatives and standards bodies. His active role help...
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
There has been a lot of grey area when one needs to get started with ISE or when one does not have any specific background.Could you please guide me to what are the thing that one needs to know inside out and what are the things which require only a minim...