MartyW Posted December 10, 2018 Share Posted December 10, 2018 I have an ASA 5520 setup at home, it is straight onto the internnet via PPPoE and its ste up with mulitple VLANs and is linked straight to my Juniper switch with sub interfaces. The ASA also has DHCP scoopes set up for each VLAN. This is all working perfectly. The only issue is that i need to created some static IPs which I know the ASA cant do. My idea is to somehow use my old 887VA router just as a DHCP server but i am unsure how to link this in with my current setup, I have set the DHCP scopes up on the 887VA just unsure how to link it in to the ASA. ASA ConfigMartys-ASA# show run Spoiler : Saved : : Serial Number: JMX1607X0VU : Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz : ASA Version 9.1(7)7 ! hostname Martys-ASA domain-name martynet enable password fGOy1DeWiPMCxQS7 encrypted names ! interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.10 vlan 10 nameif MartyNet security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/0.20 vlan 20 nameif KidsNet security-level 90 ip address 10.10.20.1 255.255.255.0 ! interface GigabitEthernet0/0.30 vlan 30 nameif IoT security-level 80 ip address 10.10.30.1 255.255.255.0 ! interface GigabitEthernet0/0.40 vlan 40 nameif GuestNet security-level 80 ip address 10.10.40.1 255.255.255.0 ! interface GigabitEthernet0/0.90 vlan 90 nameif WiFi security-level 100 ip address 10.10.90.1 255.255.255.0 ! interface GigabitEthernet0/0.100 vlan 100 nameif Network-Managment security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 nameif OUTSIDE security-level 0 ip address pppoe setroute ! interface Management0/0 management-only nameif management security-level 100 no ip address ! ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name martynet same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network Emotech host 82.32.27.76 object network Olly host 10.10.10.128 object service Olly-SSH service tcp source eq ssh access-list OUTSIDE_access_in extended permit tcp object Emotech object Olly eq ssh pager lines 24 logging enable logging monitor informational logging asdm warnings logging mail errors mtu MartyNet 1500 mtu KidsNet 1500 mtu IoT 1500 mtu GuestNet 1500 mtu WiFi 1500 mtu Network-Managment 1500 mtu OUTSIDE 1492 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (MartyNet,OUTSIDE) source static Olly interface service any Olly-SSH nat (MartyNet,OUTSIDE) source dynamic any interface nat (KidsNet,OUTSIDE) source dynamic any interface nat (IoT,OUTSIDE) source dynamic any interface nat (GuestNet,OUTSIDE) source dynamic any interface access-group OUTSIDE_access_in in interface OUTSIDE ! router ospf 1 network 10.10.10.0 255.255.255.0 area 0 network 10.10.20.0 255.255.255.0 area 0 network 10.10.30.0 255.255.255.0 area 0 network 10.10.40.0 255.255.255.0 area 0 network 10.10.90.0 255.255.255.0 area 0 network 10.10.100.0 255.255.255.0 area 0 log-adj-changes ! timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 10.10.100.0 255.255.255.0 management http 10.10.10.0 255.255.255.0 MartyNet no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 10.10.100.0 255.255.255.0 Network-Managment ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 vpdn group PLUSNET request dialout pppoe vpdn group PLUSNET localname martyw@plusdsl.net vpdn group PLUSNET ppp authentication chap vpdn username martyw@plusdsl.net password ***** store-local dhcpd dns 212.159.13.49 212.159.13.50 dhcpd lease 7200 ! dhcpd address 10.10.10.100-10.10.10.254 MartyNet dhcpd dns 212.159.13.49 212.159.13.50 interface MartyNet dhcpd lease 7200 interface MartyNet dhcpd domain MartyNet interface MartyNet dhcpd enable MartyNet ! dhcpd address 10.10.20.100-10.10.20.254 KidsNet dhcpd dns 212.159.13.49 212.159.13.50 interface KidsNet dhcpd lease 7200 interface KidsNet dhcpd domain KidsNet interface KidsNet dhcpd enable KidsNet ! dhcpd address 10.10.30.100-10.10.30.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface IoT dhcpd lease 7200 interface IoT dhcpd domain IoT interface IoT dhcpd enable IoT ! dhcpd address 10.10.40.100-10.10.40.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface IoT dhcpd lease 7200 interface GuestNet dhcpd domain GuestNet interface GuestNet dhcpd enable GuestNet ! dhcpd address 10.10.90.100-10.10.90.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface WiFi dhcpd lease 7200 interface WiFi dhcpd domain WiFi interface WiFi dhcpd enable WiFi ! dhcpd address 10.10.100.100-10.10.100.254 Network-Managment dhcpd dns 212.159.13.49 212.159.13.50 interface Network-Managment dhcpd lease 7200 interface Network-Managment dhcpd domain Network-Managment interface Network-Managment dhcpd enable Network-Managment ! threat-detection basic-threat threat-detection statistics host number-of-rate 3 threat-detection statistics port number-of-rate 3 threat-detection statistics protocol number-of-rate 3 threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 127.127.1.1 prefer username marty password mycDIbWM1shfIpnO encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:711f6064c8e24acb45c0ba7a67d55415 : end 887VA Config version 15.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname MartyNet ! boot-start-marker boot system flash c880data-universalk9-mz.154-3.M4.bin boot-end-marker ! ! ! aaa new-model ! ! aaa authentication login default line aaa authentication login CON local line aaa authentication login VTY local line aaa authorization exec default local if-authenticated ! ! ! ! ! aaa session-id common memory-size iomem 10 clock timezone gmt 0 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 !crypto pki trustpoint TP-self-signed-2188670562 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2188670562 revocation-check none rsakeypair TP-self-signed-2188670562 ! !crypto pki certificate chain TP-self-signed-2188670562 ! ! ! ! ! ! ! ! ! ! ! ! ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.20 ip dhcp excluded-address 10.10.20.1 10.10.20.20 ip dhcp excluded-address 10.10.30.1 10.10.30.20 ip dhcp excluded-address 10.10.40.1 10.10.40.20 ip dhcp excluded-address 10.10.90.1 10.10.90.20 ip dhcp excluded-address 10.10.100.1 10.10.100.20 ! ip dhcp pool MartyNet import all network 10.10.10.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.10.1 lease 3 ! ip dhcp pool KidsNet import all network 10.10.20.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.20.1 lease 3 ! ip dhcp pool IoT import all network 10.10.30.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.30.1 lease 3 ! ip dhcp pool GuestNet import all network 10.10.40.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.40.1 lease 3 ! ip dhcp pool WiFi import all network 10.10.90.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.90.1 lease 3 ! ip dhcp pool Managment import all network 10.10.100.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.100.1 lease 3 ! ! ! no ip bootp server no ip domain lookup ip domain name martynet.co.uk ip name-server 212.159.13.49 ip name-server 212.159.13.50 ip cef ipv6 unicast-routing ipv6 cef ! ! multilink bundle-name authenticated cts logging verbose license udi pid CISCO887VA-SEC-K9 sn FCZ1601C3W9 ! ! username marty privilege 15 secret 5 $1$QDkM$TDkRQFbzAIY2XZ6gNKtUq. username helen privilege 15 secret 5 $1$..DI$Oh.Lg4sbKyof.nlMjL0DP/ ! ! ! ! ! controller VDSL 0 operating mode vdsl2 ! ! ! ! ! ! ! ! ! ! bba-group pppoe global ! ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address ipv6 address 2001:470:1F08:1244::2/64 ipv6 enable tunnel source 84.92.109.26 tunnel mode ipv6ip tunnel destination 216.66.80.26 ! interface Ethernet0 ip address 10.10.0.1 255.255.255.252 ip virtual-reassembly in ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable pppoe-client dial-pool-number 1 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 switchport mode trunk no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 no ip address shutdown ! interface Vlan10 description MartyNet ip address 10.10.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ipv6 address 2001:470:6E39:10::1/64 ! interface Vlan20 description KidsNet ip address 10.10.20.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ipv6 address 2001:470:6E39:20::1/64 ! interface Vlan30 description IoT ip address 10.10.30.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in rate-limit output 5000000 78125 78125 conform-action transmit exceed-action drop ipv6 address 2001:470:6E39:30::1/64 ! interface Vlan40 description GuestNet ip address 10.10.40.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in rate-limit output 5000000 78125 78125 conform-action transmit exceed-action drop ipv6 address 2001:470:6E39:40::1/64 ! interface Vlan90 description WiFi ip address 10.10.90.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ipv6 address 2001:470:6E39:90::1/64 ! interface Vlan100 description Management ip address 10.10.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ipv6 address 2001:470:6E39:100::1/64 ! interface Dialer0 description PlusNet mtu 1492 ip address negotiated ip access-group filter_incoming in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ipv6 address dhcp ipv6 address autoconfig ipv6 enable ppp authentication chap pap callin ppp chap hostname martyw@plusdsl.net ppp chap password 0 D0n0st1a ppp pap sent-username martyw@plusdsl.net password 0 D0n0st1a ppp ipcp dns request accept ppp ipcp route default ppp ipcp address accept no cdp enable ! no ip classless no ip forward-protocol nd ip http server ip http secure-server ! ! ip dns server ip nat inside source list 10 interface Dialer0 overload ip nat inside source static tcp 10.10.10.10 10110 84.92.109.26 10110 extendable ip nat inside source static tcp 10.10.10.50 10510 84.92.109.26 10510 extendable ip ssh version 2 ! ip access-list standard ACCESS permit 138.253.20.0 0.0.0.255 permit 10.10.10.0 0.0.0.255 permit 10.10.50.0 0.0.0.255 permit 10.10.100.0 0.0.0.255 deny any ! dialer-list 1 protocol ip permit ipv6 route ::/0 Tunnel0 ! access-list 10 permit 10.10.10.0 0.0.0.255 access-list 10 permit 10.10.50.0 0.0.0.255 access-list 10 permit 10.10.90.0 0.0.0.255 access-list 10 deny any access-list 101 deny ip 10.10.90.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 permit ip 10.10.90.0 0.0.0.255 any ! ! ! control-plane ! ! banner login ^CCCC THIS IS A PRIVATE SYSTEM. UNAUTHORISED ACCESS IS NOT PERMITTED AND OFFENDERS ARE LIABLE TO PROSECUTION. YOUR IP HAS BEEN LOGGED AND AN ALERT GENERATED ^C ! line con 0 exec-timeout 0 0 logging synchronous login authentication VTY no modem enable line aux 0 line vty 0 4 access-class ACCESS in exec-timeout 0 0 logging synchronous login authentication VTY transport input ssh ! scheduler max-task-time 5000 ntp master ntp update-calendar ntp server 62.253.202.249 ntp server 92.27.75.51 ntp server 85.199.214.99 Any help is appreciated Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 10, 2018 MVC Share Posted December 10, 2018 You need to setup IP helpers to relay the dhcp info from each vlan to your dhcp server. here this should help https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html ASA DHCP Relay Configuration Example Link to comment Share on other sites More sharing options...
MartyW Posted December 10, 2018 Author Share Posted December 10, 2018 Thanks for the reply, this is along the lnes i was thinking, but that example is using a layer 3 link between the ASA and the 887VA, but the 887VA can't have a layer 3 port just layer two. Any different ideas? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 11, 2018 MVC Share Posted December 11, 2018 Huh? Your dhcpd has an IP right... Your different vlans clearly have SVI's on them... How do you think your going to run a dhcpd without an IP? So that IP (layer3) is going to sit in one of your layer2 vlans. Link to comment Share on other sites More sharing options...
MartyW Posted December 11, 2018 Author Share Posted December 11, 2018 ok i get that point but how do setup the link betwwen the 887 and the asa? the asa will only allow an ip or sub interfaces (i cant use the subinterfaces as they are already used going to the switch) and the 887 will only allow 1 vlan as access port or a trunked port Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 11, 2018 MVC Share Posted December 11, 2018 HUH?? If its on vlan 100.. Then its connected to vlan 100.. Draw up how you have this all connected... You have a vlan switch right??? Your dhcp that understands multiple scopes would only need to be in 1 network.. Ie vlan 100... When the ASA relays the dhcp discover it will include the vlan it is coming from say vlan 90... Just google how dhcp relay works... There is as much info on this for how far down the rabbit hole you need to go.. Link to comment Share on other sites More sharing options...
MartyW Posted December 13, 2018 Author Share Posted December 13, 2018 On 12/11/2018 at 4:27 PM, BudMan said: HUH?? If its on vlan 100.. Then its connected to vlan 100.. Draw up how you have this all connected... You have a vlan switch right??? Your dhcp that understands multiple scopes would only need to be in 1 network.. Ie vlan 100... When the ASA relays the dhcp discover it will include the vlan it is coming from say vlan 90... Just google how dhcp relay works... There is as much info on this for how far down the rabbit hole you need to go.. Yeah wasn't sure on how DHCP relay works, i know about using ip helper addresses on SVI's but thats about it, I am getting what you have said here though and have gon of this to try to configure this. I have configured the 887 as a DHCP server with the scopes for all vlans, i have given it vlan 100 with an ip and set the port to access on vlan 100 along with the switchport too. I can ping the 887 from the ASA and i sdisabled the dhcp scopes on the asa and set the 887 ip up in the relay section of the asdm and ticked the boxes to relay the requests bit it still did not work. i have attached the configs and a viso diagram of how its connected up. Hope you can help me here. 887 Spoiler Current configuration : 4021 bytes ! ! No configuration change since last restart ! version 15.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname MartyNet ! boot-start-marker boot system flash c880data-universalk9-mz.154-3.M4.bin boot-end-marker ! ! ! aaa new-model ! ! aaa authentication login default line aaa authentication login CON local line aaa authentication login VTY local line aaa authorization exec default local if-authenticated ! ! ! ! ! aaa session-id common memory-size iomem 10 clock timezone gmt 0 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 !crypto pki trustpoint TP-self-signed-2188670562 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2188670562 revocation-check none rsakeypair TP-self-signed-2188670562 ! !crypto pki certificate chain TP-self-signed-2188670562 ! ! ! ! ! ! ! ! ! ! ! ! ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.20 ip dhcp excluded-address 10.10.20.1 10.10.20.20 ip dhcp excluded-address 10.10.30.1 10.10.30.20 ip dhcp excluded-address 10.10.40.1 10.10.40.20 ip dhcp excluded-address 10.10.90.1 10.10.90.20 ip dhcp excluded-address 10.10.100.1 10.10.100.20 ! ip dhcp pool MartyNet import all network 10.10.10.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.10.1 lease 3 ! ip dhcp pool KidsNet import all network 10.10.20.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.20.1 lease 3 ! ip dhcp pool IoT import all network 10.10.30.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.30.1 lease 3 ! ip dhcp pool GuestNet import all network 10.10.40.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.40.1 lease 3 ! ip dhcp pool WiFi import all network 10.10.90.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.90.1 lease 3 ! ip dhcp pool Managment import all network 10.10.100.0 255.255.255.0 dns-server 212.159.13.49 212.159.13.50 default-router 10.10.100.1 lease 3 ! ! ! no ip bootp server no ip domain lookup ip domain name martynet.co.uk ip cef ipv6 unicast-routing ipv6 cef ! ! multilink bundle-name authenticated cts logging verbose license udi pid CISCO887VA-SEC-K9 sn FCZ1601C3W9 ! ! username marty privilege 15 secret 5 $1$QDkM$TDkRQFbzAIY2XZ6gNKtUq. username helen privilege 15 secret 5 $1$..DI$Oh.Lg4sbKyof.nlMjL0DP/ ! ! ! ! ! controller VDSL 0 ! ! ! ! ! ! ! ! ! ! bba-group pppoe global ! ! interface Ethernet0 no ip address shutdown ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 switchport access vlan 100 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 switchport mode trunk no ip address ! interface Vlan1 no ip address shutdown ! interface Vlan100 description Management ip address 10.10.100.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! no ip classless no ip forward-protocol nd ip http server ip http secure-server ! ! ip ssh version 2 ! ip access-list standard ACCESS permit 10.10.10.0 0.0.0.255 permit 10.10.90.0 0.0.0.255 permit 10.10.100.0 0.0.0.255 deny any ! ! access-list 10 permit 10.10.10.0 0.0.0.255 access-list 10 permit 10.10.90.0 0.0.0.255 access-list 10 permit 10.10.100.0 0.0.0.255 access-list 10 deny any ! ! ! control-plane ! ! banner login ^CCCCC THIS IS A PRIVATE SYSTEM. UNAUTHORISED ACCESS IS NOT PERMITTED AND OFFENDERS ARE LIABLE TO PROSECUTION. YOUR IP HAS BEEN LOGGED AND AN ALERT GENERATED ^C ! line con 0 exec-timeout 0 0 logging synchronous login authentication VTY no modem enable line aux 0 line vty 0 4 access-class ACCESS in exec-timeout 0 0 logging synchronous login authentication VTY transport input ssh ! scheduler max-task-time 5000 ntp master ntp update-calendar ntp server 62.253.202.249 ntp server 92.27.75.51 ntp server 85.199.214.99 ! end ASA Martys-ASA# show run : Saved : : Serial Number: JMX1607X0VU : Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz : ASA Version 9.1(7)7 ! hostname Martys-ASA domain-name martynet enable password fGOy1DeWiPMCxQS7 encrypted names ! interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.10 vlan 10 nameif MartyNet security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/0.20 vlan 20 nameif KidsNet security-level 90 ip address 10.10.20.1 255.255.255.0 ! interface GigabitEthernet0/0.30 vlan 30 nameif IoT security-level 80 ip address 10.10.30.1 255.255.255.0 ! interface GigabitEthernet0/0.40 vlan 40 nameif GuestNet security-level 80 ip address 10.10.40.1 255.255.255.0 ! interface GigabitEthernet0/0.90 vlan 90 nameif WiFi security-level 100 ip address 10.10.90.1 255.255.255.0 ! interface GigabitEthernet0/0.100 vlan 100 nameif Network-Managment security-level 100 ip address 10.10.100.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 nameif OUTSIDE security-level 0 ip address pppoe setroute ! interface Management0/0 management-only nameif management security-level 100 no ip address ! ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name martynet same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network Emotech host 82.32.27.76 object network Olly host 10.10.10.128 object service Olly-SSH service tcp source eq ssh access-list OUTSIDE_access_in extended permit tcp object Emotech object Olly eq ssh pager lines 24 logging enable logging monitor informational logging asdm warnings logging mail errors mtu MartyNet 1500 mtu KidsNet 1500 mtu IoT 1500 mtu GuestNet 1500 mtu WiFi 1500 mtu Network-Managment 1500 mtu OUTSIDE 1492 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (MartyNet,OUTSIDE) source static Olly interface service any Olly-SSH nat (MartyNet,OUTSIDE) source dynamic any interface nat (KidsNet,OUTSIDE) source dynamic any interface nat (IoT,OUTSIDE) source dynamic any interface nat (GuestNet,OUTSIDE) source dynamic any interface access-group OUTSIDE_access_in in interface OUTSIDE ! router ospf 1 network 10.10.10.0 255.255.255.0 area 0 network 10.10.20.0 255.255.255.0 area 0 network 10.10.30.0 255.255.255.0 area 0 network 10.10.40.0 255.255.255.0 area 0 network 10.10.90.0 255.255.255.0 area 0 network 10.10.100.0 255.255.255.0 area 0 log-adj-changes ! timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 10.10.100.0 255.255.255.0 management http 10.10.10.0 255.255.255.0 MartyNet no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 10.10.100.0 255.255.255.0 Network-Managment ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 vpdn group PLUSNET request dialout pppoe vpdn group PLUSNET localname martyw@plusdsl.net vpdn group PLUSNET ppp authentication chap vpdn username martyw@plusdsl.net password ***** store-local dhcpd dns 212.159.13.49 212.159.13.50 dhcpd lease 7200 ! dhcpd address 10.10.10.100-10.10.10.254 MartyNet dhcpd dns 212.159.13.49 212.159.13.50 interface MartyNet dhcpd lease 7200 interface MartyNet dhcpd domain MartyNet interface MartyNet dhcpd enable MartyNet ! dhcpd address 10.10.20.100-10.10.20.254 KidsNet dhcpd dns 212.159.13.49 212.159.13.50 interface KidsNet dhcpd lease 7200 interface KidsNet dhcpd domain KidsNet interface KidsNet dhcpd enable KidsNet ! dhcpd address 10.10.30.100-10.10.30.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface IoT dhcpd lease 7200 interface IoT dhcpd domain IoT interface IoT dhcpd enable IoT ! dhcpd address 10.10.40.100-10.10.40.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface IoT dhcpd lease 7200 interface GuestNet dhcpd domain GuestNet interface GuestNet dhcpd enable GuestNet ! dhcpd address 10.10.90.100-10.10.90.254 IoT dhcpd dns 212.159.13.49 212.159.13.50 interface WiFi dhcpd lease 7200 interface WiFi dhcpd domain WiFi interface WiFi dhcpd enable WiFi ! dhcpd address 10.10.100.100-10.10.100.254 Network-Managment dhcpd dns 212.159.13.49 212.159.13.50 interface Network-Managment dhcpd lease 7200 interface Network-Managment dhcpd domain Network-Managment interface Network-Managment dhcpd enable Network-Managment ! threat-detection basic-threat threat-detection statistics host number-of-rate 3 threat-detection statistics port number-of-rate 3 threat-detection statistics protocol number-of-rate 3 threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 127.127.1.1 prefer username marty password mycDIbWM1shfIpnO encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:711f6064c8e24acb45c0ba7a67d55415 : end Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 13, 2018 MVC Share Posted December 13, 2018 Great so you get it... Have fun.. Link to comment Share on other sites More sharing options...
MartyW Posted December 13, 2018 Author Share Posted December 13, 2018 6 hours ago, BudMan said: Great so you get it... Have fun.. Huh! i said the asa still does not forward the requests to the dhcp, could you help me with this please Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 13, 2018 MVC Share Posted December 13, 2018 Where is your helper entry? Never going to work without that.. I see no dhcprelay entries - so how do you think it would work? The article I linked too has everything you need! Mindovermaster 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 13, 2018 Veteran Share Posted December 13, 2018 Does it need a helper entry being that the asa is the dhcp server and it can see all networks? I don't think it will hurt, I don't think it is needed. When configuring local dhcp on a baby asa 5505 or pix 501, I don't remember needing it (it has been a long while). I think there is other information missing from the dhcp scopes. default router is missing in all scopes...going to need that if you want the vlans to communicate outside of themselves, like to the internet or to other vlans. The asa can't create static IPs? you mean create reservations? The asa really isn't a good dhcp server. It does a job, but not a great job. I would have your dhcp done elsewhere and point your helpers there...dhcp may be better on the switch, or even better on a *nix server, or a windows server. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 13, 2018 MVC Share Posted December 13, 2018 He wants a dhcp server to do all the dhcp for his vlans because the ASA can not do reservations... So if he sets up a dhcp server somewhere on the network with all the scopes... Then his ASA needs to do dhcp relay to get the dhcp discover to the dhcpd.. His ASA needs to setup dhcprelay... I sent him a link on EXACTLY how to do what he asked... To be honest confused why this thread is more than his post and my response long Ok - should of been the 3 posts.. His ?, My Answer and then his Thanks! @sc302 hey mod can you edit his posts to put his configs inside a text box or something so they are not so freaking long for the whole thread. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 13, 2018 Veteran Share Posted December 13, 2018 put it into spoiler tags, you can view as needed. On the ASA, I would suggest taking out code that isn't needed. The dhcpd needs to be modified if utilizing in the asa or taken out if not. If utilizing a dhcp server that isn't the ASA, you need to utilize dhcp helper. Link to comment Share on other sites More sharing options...
MartyW Posted December 13, 2018 Author Share Posted December 13, 2018 3 hours ago, BudMan said: He wants a dhcp server to do all the dhcp for his vlans because the ASA can not do reservations... So if he sets up a dhcp server somewhere on the network with all the scopes... Then his ASA needs to do dhcp relay to get the dhcp discover to the dhcpd.. His ASA needs to setup dhcprelay... I sent him a link on EXACTLY how to do what he asked... To be honest confused why this thread is more than his post and my response long Ok - should of been the 3 posts.. His ?, My Answer and then his Thanks! @sc302 hey mod can you edit his posts to put his configs inside a text box or something so they are not so freaking long for the whole thread. Dont appreciate your aragance at all, i am trying to get some decent help here not be treated like dirt on the bottom of your shoe I cant get in to the CLI because my console port has stopped giving any output for some reason, the telnet/ssh does not let me login says i have the wrong password so i am left with just trying to get the relay working via the ASDM which i have tried but this did not work which i did say in a previous post Link to comment Share on other sites More sharing options...
Mindovermaster Moderator Posted December 13, 2018 Moderator Share Posted December 13, 2018 6 minutes ago, MartyW said: Dont appreciate your aragance at all, i am trying to get some decent help here not be treated like dirt on the bottom of your shoe I cant get in to the CLI because my console port has stopped giving any output for some reason, the telnet/ssh does not let me login says i have the wrong password so i am left with just trying to get the relay working via the ASDM which i have tried but this did not work which i did say in a previous post Don't take it that way. BudMan is helping you. You aren't listening. I had to learn this myself. Once you start talking his language, it clicks. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 14, 2018 MVC Share Posted December 14, 2018 Bottom of my shoe? What -- dude get overself please... What part are you not understanding about the doc linked too? And we can help... But all the info you need to setup a relay has been given. If you can not get to console - I would worry about that before working on changing your dhcp config. Link to comment Share on other sites More sharing options...
MartyW Posted December 15, 2018 Author Share Posted December 15, 2018 On 12/14/2018 at 9:55 AM, BudMan said: Bottom of my shoe? What -- dude get overself please... What part are you not understanding about the doc linked too? And we can help... But all the info you need to setup a relay has been given. If you can not get to console - I would worry about that before working on changing your dhcp config. Fair enough so any ideas why my console would just stop working, i can get on to other equipment no problem its just the ASA that wont let me on, i coud try to factory wipe it but then i am worried that if i still cant get on to it i wont be able to set it up again Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 18, 2018 Veteran Share Posted December 18, 2018 Could be that it doesn’t have a domain name. Could be that you deleted your ssh keys. Could be that you are on an unsupported version of ssh where your client won’t connect. Could be that you are using the wrong settings if you are using a console cable. Or it could be that you don’t have vty 5 15 defined so you can edit via ssh. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 18, 2018 MVC Share Posted December 18, 2018 Did the console ever work? Why do you have no modem enable on your con 0? I would wipe the thing and start with clean config. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 19, 2018 Veteran Share Posted December 19, 2018 I agree with wiping it and starting fresh. Link to comment Share on other sites More sharing options...
c.grz Posted December 19, 2018 Share Posted December 19, 2018 dhcprelay enable %Interface_Name% dhcprelay server %DHCPServer_IP% %Interface_Name% Link to comment Share on other sites More sharing options...
Recommended Posts