• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0

Cisco ASA 5520 and Static IP (887VA?)

Question

MartyW    0

I have an ASA 5520 setup at home, it is straight onto the internnet via PPPoE and its ste up with mulitple VLANs and is linked straight to my Juniper switch with sub interfaces.

 

The ASA also has DHCP scoopes set up for each VLAN.  This is all working perfectly.  The only issue is that i need to created some static IPs which I know the ASA cant do.

 

My idea is to somehow use my old 887VA router just as a DHCP server but i am unsure how to link this in with my current setup, I have set the DHCP scopes up on the 887VA just unsure how to link it in to the ASA.

 

ASA ConfigMartys-ASA# show run

Spoiler

: Saved
:
: Serial Number: JMX1607X0VU
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)7
!
hostname Martys-ASA
domain-name martynet
enable password fGOy1DeWiPMCxQS7 encrypted
names
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.10
 vlan 10
 nameif MartyNet
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 vlan 20
 nameif KidsNet
 security-level 90
 ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 vlan 30
 nameif IoT
 security-level 80
 ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/0.40
 vlan 40
 nameif GuestNet
 security-level 80
 ip address 10.10.40.1 255.255.255.0
!
interface GigabitEthernet0/0.90
 vlan 90
 nameif WiFi
 security-level 100
 ip address 10.10.90.1 255.255.255.0
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif OUTSIDE
 security-level 0
 ip address pppoe setroute
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name martynet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Emotech
 host 82.32.27.76
object network Olly
 host 10.10.10.128
object service Olly-SSH
 service tcp source eq ssh
access-list OUTSIDE_access_in extended permit tcp object Emotech object Olly eq ssh
pager lines 24
logging enable
logging monitor informational
logging asdm warnings
logging mail errors
mtu MartyNet 1500
mtu KidsNet 1500
mtu IoT 1500
mtu GuestNet 1500
mtu WiFi 1500
mtu Network-Managment 1500
mtu OUTSIDE 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (MartyNet,OUTSIDE) source static Olly interface service any Olly-SSH
nat (MartyNet,OUTSIDE) source dynamic any interface
nat (KidsNet,OUTSIDE) source dynamic any interface
nat (IoT,OUTSIDE) source dynamic any interface
nat (GuestNet,OUTSIDE) source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
!
router ospf 1
 network 10.10.10.0 255.255.255.0 area 0
 network 10.10.20.0 255.255.255.0 area 0
 network 10.10.30.0 255.255.255.0 area 0
 network 10.10.40.0 255.255.255.0 area 0
 network 10.10.90.0 255.255.255.0 area 0
 network 10.10.100.0 255.255.255.0 area 0
 log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.100.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 MartyNet
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.100.0 255.255.255.0 Network-Managment
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PLUSNET request dialout pppoe
vpdn group PLUSNET localname martyw@plusdsl.net
vpdn group PLUSNET ppp authentication chap
vpdn username martyw@plusdsl.net password ***** store-local
dhcpd dns 212.159.13.49 212.159.13.50
dhcpd lease 7200
!
dhcpd address 10.10.10.100-10.10.10.254 MartyNet
dhcpd dns 212.159.13.49 212.159.13.50 interface MartyNet
dhcpd lease 7200 interface MartyNet
dhcpd domain MartyNet interface MartyNet
dhcpd enable MartyNet
!
dhcpd address 10.10.20.100-10.10.20.254 KidsNet
dhcpd dns 212.159.13.49 212.159.13.50 interface KidsNet
dhcpd lease 7200 interface KidsNet
dhcpd domain KidsNet interface KidsNet
dhcpd enable KidsNet
!
dhcpd address 10.10.30.100-10.10.30.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface IoT
dhcpd lease 7200 interface IoT
dhcpd domain IoT interface IoT
dhcpd enable IoT
!
dhcpd address 10.10.40.100-10.10.40.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface IoT
dhcpd lease 7200 interface GuestNet
dhcpd domain GuestNet interface GuestNet
dhcpd enable GuestNet
!
dhcpd address 10.10.90.100-10.10.90.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface WiFi
dhcpd lease 7200 interface WiFi
dhcpd domain WiFi interface WiFi
dhcpd enable WiFi
!
dhcpd address 10.10.100.100-10.10.100.254 Network-Managment
dhcpd dns 212.159.13.49 212.159.13.50 interface Network-Managment
dhcpd lease 7200 interface Network-Managment
dhcpd domain Network-Managment interface Network-Managment
dhcpd enable Network-Managment
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 127.127.1.1 prefer
username marty password mycDIbWM1shfIpnO encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:711f6064c8e24acb45c0ba7a67d55415
: end

887VA Config

version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MartyNet
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M4.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication login CON local line
aaa authentication login VTY local line
aaa authorization exec default local if-authenticated
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2188670562
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2188670562
 revocation-check none
 rsakeypair TP-self-signed-2188670562
!
!
crypto pki certificate chain TP-self-signed-2188670562
!
!
!
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.20
ip dhcp excluded-address 10.10.30.1 10.10.30.20
ip dhcp excluded-address 10.10.40.1 10.10.40.20
ip dhcp excluded-address 10.10.90.1 10.10.90.20
ip dhcp excluded-address 10.10.100.1 10.10.100.20
!
ip dhcp pool MartyNet
 import all
 network 10.10.10.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.10.1
 lease 3
!
ip dhcp pool KidsNet
 import all
 network 10.10.20.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.20.1
 lease 3
!
ip dhcp pool IoT
 import all
 network 10.10.30.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.30.1
 lease 3
!
ip dhcp pool GuestNet
 import all
 network 10.10.40.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.40.1
 lease 3
!
ip dhcp pool WiFi
 import all
 network 10.10.90.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.90.1
 lease 3
!
ip dhcp pool Managment
 import all
 network 10.10.100.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.100.1
 lease 3
!
!
!
no ip bootp server
no ip domain lookup
ip domain name martynet.co.uk
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO887VA-SEC-K9 sn FCZ1601C3W9
!
!
username marty privilege 15 secret 5 $1$QDkM$TDkRQFbzAIY2XZ6gNKtUq.
username helen privilege 15 secret 5 $1$..DI$Oh.Lg4sbKyof.nlMjL0DP/
!
!
!
!
!
controller VDSL 0
 operating mode vdsl2
!
!
!
!
!
!
!
!
!
!
bba-group pppoe global
!
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:1F08:1244::2/64
 ipv6 enable
 tunnel source 84.92.109.26
 tunnel mode ipv6ip
 tunnel destination 216.66.80.26
!
interface Ethernet0
 ip address 10.10.0.1 255.255.255.252
 ip virtual-reassembly in
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description MartyNet
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:470:6E39:10::1/64
!
interface Vlan20
 description KidsNet
 ip address 10.10.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:470:6E39:20::1/64
!
interface Vlan30
 description IoT
 ip address 10.10.30.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 rate-limit output 5000000 78125 78125 conform-action transmit exceed-action drop
 ipv6 address 2001:470:6E39:30::1/64
!
interface Vlan40
 description GuestNet
 ip address 10.10.40.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 rate-limit output 5000000 78125 78125 conform-action transmit exceed-action drop
 ipv6 address 2001:470:6E39:40::1/64
!
interface Vlan90
 description WiFi
 ip address 10.10.90.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:470:6E39:90::1/64
!
interface Vlan100
 description Management
 ip address 10.10.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:470:6E39:100::1/64
!
interface Dialer0
 description PlusNet
 mtu 1492
 ip address negotiated
 ip access-group filter_incoming in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
 ppp authentication chap pap callin
 ppp chap hostname martyw@plusdsl.net
 ppp chap password 0 D0n0st1a
 ppp pap sent-username martyw@plusdsl.net password 0 D0n0st1a
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
no ip classless
no ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source list 10 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.10 10110 84.92.109.26 10110 extendable
ip nat inside source static tcp 10.10.10.50 10510 84.92.109.26 10510 extendable
ip ssh version 2
!
ip access-list standard ACCESS
 permit 138.253.20.0 0.0.0.255
 permit 10.10.10.0 0.0.0.255
 permit 10.10.50.0 0.0.0.255
 permit 10.10.100.0 0.0.0.255
 deny   any
!
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.50.0 0.0.0.255
access-list 10 permit 10.10.90.0 0.0.0.255
access-list 10 deny   any
access-list 101 deny   ip 10.10.90.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.90.0 0.0.0.255 any
!
!
!
control-plane
!
!
banner login ^CCCC
THIS IS A PRIVATE SYSTEM. UNAUTHORISED ACCESS IS NOT
PERMITTED AND OFFENDERS ARE LIABLE TO PROSECUTION.

YOUR IP HAS BEEN LOGGED AND AN ALERT GENERATED
^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication VTY
 no modem enable
line aux 0
line vty 0 4
 access-class ACCESS in
 exec-timeout 0 0
 logging synchronous
 login authentication VTY
 transport input ssh
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
ntp server 62.253.202.249
ntp server 92.27.75.51
ntp server 85.199.214.99

 

 

Any help is appreciated

 

 

Share this post


Link to post
Share on other sites

20 answers to this question

Recommended Posts

  • 0
+BudMan    3,306

You need to setup IP helpers to relay the dhcp info from each vlan to your dhcp server.

here this should help

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

ASA DHCP Relay Configuration Example

Share this post


Link to post
Share on other sites
  • 0
MartyW    0

Thanks for the reply, this is along the lnes i was thinking, but that example is using a layer 3 link between the ASA and the 887VA, but the 887VA can't have a layer 3 port just layer two. Any different ideas?

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

Huh?

 

Your dhcpd has an IP right... Your different vlans clearly have SVI's on them... How do you think your going to run a dhcpd without an IP?  So that IP (layer3) is going to sit in one of your layer2 vlans.

Share this post


Link to post
Share on other sites
  • 0
MartyW    0

ok i get that point but how do setup the link betwwen the 887 and the asa? the asa will only allow an ip or sub interfaces (i cant use the subinterfaces as they are already used going to the switch) and the 887 will only allow 1 vlan as access port or a trunked port

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

HUH??

 

If its on vlan 100.. Then its connected to vlan 100..

 

Draw up how you have this all connected... You have a vlan switch right??? Your dhcp that understands multiple scopes would only need to be in 1 network.. Ie vlan 100... When the ASA relays the dhcp discover it will include the vlan it is coming from say vlan 90...

 

Just google how dhcp relay works... There is as much info on this for how far down the rabbit hole you need to go..

 

Share this post


Link to post
Share on other sites
  • 0
MartyW    0
On 12/11/2018 at 4:27 PM, BudMan said:

HUH??

 

If its on vlan 100.. Then its connected to vlan 100..

 

Draw up how you have this all connected... You have a vlan switch right??? Your dhcp that understands multiple scopes would only need to be in 1 network.. Ie vlan 100... When the ASA relays the dhcp discover it will include the vlan it is coming from say vlan 90...

 

Just google how dhcp relay works... There is as much info on this for how far down the rabbit hole you need to go..

 

 

Yeah wasn't sure on how DHCP relay works, i know about using ip helper addresses on SVI's but thats about it, I am getting what you have said here though and have gon of this to try to configure this.  I have configured the 887 as a DHCP server with the scopes for all vlans, i have given it vlan 100 with an ip and set the port to access on vlan 100 along with the switchport too.

 

I can ping the 887 from the ASA and i sdisabled the dhcp scopes on the asa and set the 887 ip up in the relay section of the asdm and ticked the boxes to relay the requests bit it still did not work.  i have attached the configs and a viso diagram of how its connected up. Hope you can help me here.

 

887

Spoiler

Current configuration : 4021 bytes
!
! No configuration change since last restart
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MartyNet
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M4.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication login CON local line
aaa authentication login VTY local line
aaa authorization exec default local if-authenticated
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2188670562
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2188670562
 revocation-check none
 rsakeypair TP-self-signed-2188670562
!
!
crypto pki certificate chain TP-self-signed-2188670562
!
!
!
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.20
ip dhcp excluded-address 10.10.30.1 10.10.30.20
ip dhcp excluded-address 10.10.40.1 10.10.40.20
ip dhcp excluded-address 10.10.90.1 10.10.90.20
ip dhcp excluded-address 10.10.100.1 10.10.100.20
!
ip dhcp pool MartyNet
 import all
 network 10.10.10.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.10.1
 lease 3
!
ip dhcp pool KidsNet
 import all
 network 10.10.20.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.20.1
 lease 3
!
ip dhcp pool IoT
 import all
 network 10.10.30.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.30.1
 lease 3
!
ip dhcp pool GuestNet
 import all
 network 10.10.40.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.40.1
 lease 3
!
ip dhcp pool WiFi
 import all
 network 10.10.90.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.90.1
 lease 3
!
ip dhcp pool Managment
 import all
 network 10.10.100.0 255.255.255.0
 dns-server 212.159.13.49 212.159.13.50
 default-router 10.10.100.1
 lease 3
!
!
!
no ip bootp server
no ip domain lookup
ip domain name martynet.co.uk
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO887VA-SEC-K9 sn FCZ1601C3W9
!
!
username marty privilege 15 secret 5 $1$QDkM$TDkRQFbzAIY2XZ6gNKtUq.
username helen privilege 15 secret 5 $1$..DI$Oh.Lg4sbKyof.nlMjL0DP/
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
bba-group pppoe global
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport access vlan 100
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 description Management
 ip address 10.10.100.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
no ip classless
no ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip ssh version 2
!
ip access-list standard ACCESS
 permit 10.10.10.0 0.0.0.255
 permit 10.10.90.0 0.0.0.255
 permit 10.10.100.0 0.0.0.255
 deny   any
!
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.90.0 0.0.0.255
access-list 10 permit 10.10.100.0 0.0.0.255
access-list 10 deny   any
!
!
!
control-plane
!
!
banner login ^CCCCC
THIS IS A PRIVATE SYSTEM. UNAUTHORISED ACCESS IS NOT
PERMITTED AND OFFENDERS ARE LIABLE TO PROSECUTION.

YOUR IP HAS BEEN LOGGED AND AN ALERT GENERATED
^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication VTY
 no modem enable
line aux 0
line vty 0 4
 access-class ACCESS in
 exec-timeout 0 0
 logging synchronous
 login authentication VTY
 transport input ssh
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
ntp server 62.253.202.249
ntp server 92.27.75.51
ntp server 85.199.214.99
!
end

ASA

Martys-ASA# show run
: Saved
:
: Serial Number: JMX1607X0VU
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)7
!
hostname Martys-ASA
domain-name martynet
enable password fGOy1DeWiPMCxQS7 encrypted
names
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.10
 vlan 10
 nameif MartyNet
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 vlan 20
 nameif KidsNet
 security-level 90
 ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 vlan 30
 nameif IoT
 security-level 80
 ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/0.40
 vlan 40
 nameif GuestNet
 security-level 80
 ip address 10.10.40.1 255.255.255.0
!
interface GigabitEthernet0/0.90
 vlan 90
 nameif WiFi
 security-level 100
 ip address 10.10.90.1 255.255.255.0
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif Network-Managment
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif OUTSIDE
 security-level 0
 ip address pppoe setroute
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name martynet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Emotech
 host 82.32.27.76
object network Olly
 host 10.10.10.128
object service Olly-SSH
 service tcp source eq ssh
access-list OUTSIDE_access_in extended permit tcp object Emotech object Olly eq ssh
pager lines 24
logging enable
logging monitor informational
logging asdm warnings
logging mail errors
mtu MartyNet 1500
mtu KidsNet 1500
mtu IoT 1500
mtu GuestNet 1500
mtu WiFi 1500
mtu Network-Managment 1500
mtu OUTSIDE 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (MartyNet,OUTSIDE) source static Olly interface service any Olly-SSH
nat (MartyNet,OUTSIDE) source dynamic any interface
nat (KidsNet,OUTSIDE) source dynamic any interface
nat (IoT,OUTSIDE) source dynamic any interface
nat (GuestNet,OUTSIDE) source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
!
router ospf 1
 network 10.10.10.0 255.255.255.0 area 0
 network 10.10.20.0 255.255.255.0 area 0
 network 10.10.30.0 255.255.255.0 area 0
 network 10.10.40.0 255.255.255.0 area 0
 network 10.10.90.0 255.255.255.0 area 0
 network 10.10.100.0 255.255.255.0 area 0
 log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.100.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 MartyNet
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.100.0 255.255.255.0 Network-Managment
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PLUSNET request dialout pppoe
vpdn group PLUSNET localname martyw@plusdsl.net
vpdn group PLUSNET ppp authentication chap
vpdn username martyw@plusdsl.net password ***** store-local
dhcpd dns 212.159.13.49 212.159.13.50
dhcpd lease 7200
!
dhcpd address 10.10.10.100-10.10.10.254 MartyNet
dhcpd dns 212.159.13.49 212.159.13.50 interface MartyNet
dhcpd lease 7200 interface MartyNet
dhcpd domain MartyNet interface MartyNet
dhcpd enable MartyNet
!
dhcpd address 10.10.20.100-10.10.20.254 KidsNet
dhcpd dns 212.159.13.49 212.159.13.50 interface KidsNet
dhcpd lease 7200 interface KidsNet
dhcpd domain KidsNet interface KidsNet
dhcpd enable KidsNet
!
dhcpd address 10.10.30.100-10.10.30.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface IoT
dhcpd lease 7200 interface IoT
dhcpd domain IoT interface IoT
dhcpd enable IoT
!
dhcpd address 10.10.40.100-10.10.40.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface IoT
dhcpd lease 7200 interface GuestNet
dhcpd domain GuestNet interface GuestNet
dhcpd enable GuestNet
!
dhcpd address 10.10.90.100-10.10.90.254 IoT
dhcpd dns 212.159.13.49 212.159.13.50 interface WiFi
dhcpd lease 7200 interface WiFi
dhcpd domain WiFi interface WiFi
dhcpd enable WiFi
!
dhcpd address 10.10.100.100-10.10.100.254 Network-Managment
dhcpd dns 212.159.13.49 212.159.13.50 interface Network-Managment
dhcpd lease 7200 interface Network-Managment
dhcpd domain Network-Managment interface Network-Managment
dhcpd enable Network-Managment
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 127.127.1.1 prefer
username marty password mycDIbWM1shfIpnO encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:711f6064c8e24acb45c0ba7a67d55415
: end

 

 

 

Home Network.jpg

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

Great so you get it... Have fun..

Share this post


Link to post
Share on other sites
  • 0
MartyW    0
6 hours ago, BudMan said:

Great so you get it... Have fun..

Huh!

 

i said the asa still does not forward the requests to the dhcp, could you help me with this please

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

Where is your helper entry?  Never going to work without that..

 

I see no dhcprelay entries - so how do you think it would work?

 

The article I linked too has everything you need!

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
sc302    1,644

Does it need a helper entry being that the asa is the dhcp server and it can see all networks?  I don't think it will hurt, I don't think it is needed.  When configuring local dhcp on a baby asa 5505 or pix 501, I don't remember needing it (it has been a long while).

I think there is other information missing from the dhcp scopes.  

 

default router is missing in all scopes...going to need that if you want the vlans to communicate outside of themselves, like to the internet or to other vlans.

 

 

 

The asa can't create static IPs?  you mean create reservations? The asa really isn't a good dhcp server.  It does a job, but not a great job.  I would have your dhcp done elsewhere and point your helpers there...dhcp may be better on the switch, or even better on a *nix server, or a windows server.

 

 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

He wants a dhcp server to do all the dhcp for his vlans because the ASA can not do reservations... So if he sets up a dhcp server somewhere on the network with all the scopes... Then his ASA needs to do dhcp relay to get the dhcp discover to the dhcpd..

 

His ASA needs to setup dhcprelay...

 

I sent him a link on EXACTLY how to do what he asked... To be honest  confused why this thread is more than his post and my response long ;)

 

Ok - should of been the 3 posts.. His ?, My Answer and then his Thanks! ;)

 

@sc302 hey mod can you edit his posts to put his configs inside a text box or something so they are not so freaking long for the whole thread.

Share this post


Link to post
Share on other sites
  • 0
sc302    1,644

put it into spoiler tags, you can view as needed.  

 

On the ASA, I would suggest taking out code that isn't needed.   The dhcpd needs to be modified if utilizing in the asa or taken out if not.  If utilizing a dhcp server that isn't the ASA, you need to utilize dhcp helper.

Share this post


Link to post
Share on other sites
  • 0
MartyW    0
3 hours ago, BudMan said:

He wants a dhcp server to do all the dhcp for his vlans because the ASA can not do reservations... So if he sets up a dhcp server somewhere on the network with all the scopes... Then his ASA needs to do dhcp relay to get the dhcp discover to the dhcpd..

 

His ASA needs to setup dhcprelay...

 

I sent him a link on EXACTLY how to do what he asked... To be honest  confused why this thread is more than his post and my response long ;)

 

Ok - should of been the 3 posts.. His ?, My Answer and then his Thanks! ;)

 

@sc302 hey mod can you edit his posts to put his configs inside a text box or something so they are not so freaking long for the whole thread.

Dont appreciate your aragance at all, i am trying to get some decent help here not be treated like dirt on the bottom of your shoe

 

I cant get in to the CLI because my console port has stopped giving any output for some reason, the telnet/ssh does not let me login says i have the wrong password so i am left with just trying to get the relay working via the ASDM which i have tried but this did not work which i did say in a previous post

Share this post


Link to post
Share on other sites
  • 0
Mindovermaster    1,644
6 minutes ago, MartyW said:

Dont appreciate your aragance at all, i am trying to get some decent help here not be treated like dirt on the bottom of your shoe

 

I cant get in to the CLI because my console port has stopped giving any output for some reason, the telnet/ssh does not let me login says i have the wrong password so i am left with just trying to get the relay working via the ASDM which i have tried but this did not work which i did say in a previous post

Don't take it that way. BudMan is helping you. You aren't listening. I had to learn this myself. Once you start talking his language, it clicks.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

Bottom of my shoe?  What -- dude get overself please...

 

What part are you not understanding about the doc linked too?  And we can help... But all the info you need to setup a relay has been given. 

 

If you can not get to console - I would worry about that before working on changing your dhcp config.

Share this post


Link to post
Share on other sites
  • 0
MartyW    0
On 12/14/2018 at 9:55 AM, BudMan said:

Bottom of my shoe?  What -- dude get overself please...

 

What part are you not understanding about the doc linked too?  And we can help... But all the info you need to setup a relay has been given. 

 

If you can not get to console - I would worry about that before working on changing your dhcp config.

Fair enough so any ideas why my console would just stop working, i can get on to other equipment no problem its just the ASA that wont let me on, i coud try to factory wipe it but then i am worried that if i still cant get on to it i wont be able to set it up again

Share this post


Link to post
Share on other sites
  • 0
sc302    1,644

Could be that it doesn’t have a domain name. Could be that you deleted your ssh keys.  Could be that you are on an unsupported version of ssh where your client won’t connect.  Could be that you are using the wrong settings if you are using a console cable.  

 

Or it could be that you don’t have vty 5 15 defined so you can edit via ssh. 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,306

Did the console ever work? 

 

Why do you have

no modem enable on your con 0?

 

I would wipe the thing and start with clean config.

 

Share this post


Link to post
Share on other sites
  • 0
sc302    1,644

I agree with wiping it and starting fresh.  

Share this post


Link to post
Share on other sites
  • 0
c.grz    377

dhcprelay enable %Interface_Name%

dhcprelay server %DHCPServer_IP% %Interface_Name%

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.