cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
5
Helpful
3
Replies

Bizzare issue with DHCP Relay - ASA5510

spejic
Level 1
Level 1

Hello all,

we recently upgraded our DNS/DHCP servers with newer hardware and more up-to-date version of Linux.

The previous servers were not behind a firewall. The current servers are placed behind our ASA5510 appliance, and we have set up translations and access lists accordingly (please see config).

So we switched to the new servers.. and discovered that a number of our ADSL clients can NOT obtain an IP from the DHCP server behind the firewall, UNLESS: we have them assign their IP address to their PC or router statically; then if they switch back to dynamic IP they can obtain that same IP no problem.

Just to isolate the issue, we put the DHCP server on the outside and the problem went away (of course, we can't leave it on the outside for any extended amounts of time).

When I debugged DHCP relay, I can see that the firewall is passing the requests, and the DHCP server is replying, but the client never gets an IP unless we statically assign it first.

(In other words, "exchange complete" is the part that is missing prior to us having the customer statically assign the IP first).

Please help!

Thanks in advance!

3 Replies 3

spejic
Level 1
Level 1

hostname ASA5510

domain-name xxx.com

enable password xxx

names

name 10.185.225.254 NEXTGEN

name 10.185.225.21 NS1

name 10.185.225.22 NS2

name 10.185.225.101 DNS1

name 10.185.225.110 DNS2

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address 123.x.x.150 255.255.255.0

interface Ethernet0/1

shutdown

nameif inside

security-level 100

ip address 192.168.110.1 255.255.255.0

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 10.185.225.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

object-group network WEBFTPSERVERS

network-object host 123.185.225.140

network-object host 123.185.225.141

network-object host 123.185.225.142

network-object host 123.185.225.143

network-object host 123.185.225.144

network-object host 123.185.225.145

network-object host 123.185.225.151

network-object host 123.185.225.152

object-group network DNSSERVERS

network-object host 123.185.225.21

network-object host 123.185.225.22

network-object host 123.185.225.10

network-object host 123.185.225.1

object-group service WEB_FTP tcp

port-object eq www

port-object eq ftp

port-object eq ftp-data

object-group service DNS_DHCP_RADIUS udp

port-object eq domain

port-object eq bootpc

port-object eq radius

port-object eq radius-acct

port-object eq bootps

access-list OUTSIDE-IN extended permit tcp any object-group WEBFTPSERVERS object

-group WEB_FTP log

access-list OUTSIDE-IN extended permit udp any object-group DNSSERVERS object-gr

oup DNS_DHCP_RADIUS

access-list OUTSIDE-IN extended permit icmp any any

access-list DMZ-OUT extended permit ip any any

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip verify reverse-path interface outside

ip audit name ProtectUs attack action alarm drop reset

ip audit interface outside ProtectUs

no failover

arp timeout 14400

global (outside) 1 123.185.225.139

nat (DMZ) 1 10.185.225.0 255.255.255.0

static (DMZ,outside) 123.185.225.140 10.185.225.140 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.141 10.185.225.141 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.142 10.185.225.142 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.143 10.185.225.143 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.144 10.185.225.144 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.145 10.185.225.145 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.151 10.185.225.151 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.152 10.185.225.152 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.21 NS1 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.22 NS2 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.1 DNS1 netmask 255.255.255.255

static (DMZ,outside) 123.185.225.10 DNS2 netmask 255.255.255.255

access-group OUTSIDE-IN in interface outside

access-group DMZ-OUT out interface DMZ

route outside 0.0.0.0 0.0.0.0 123.185.225.125 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

no snmp-server enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcprelay server DNS2 DMZ

dhcprelay enable outside

dhcprelay timeout 60

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

!

service-policy global_policy global

: end

ASA5510#

This sounds like a bug, but we are not aware of any known issues in this area.

I would suggest opening a TAC case so it can be further diagnosed.

But you will need to get a capture of the dhcp-relay packets on both interfaces (using the capture feature). And collect both a bad, and good (when users first static the ip) captures.

You can also post the capture here and I will try to take a quick look.

Sincerely,

David.

Hi David,

thank you for your reply!

I was hoping the issue was simply a mistake I made configuring the appliance; but if you think it might be a bug, then I will assume there's nothing wrong with the config (everything else works properly behind the firewall).

We had no choice but to put our DHCP server on the outside and harden the Linux system.

We'll have to leave it like this for now, as we can't afford any more customer downtime.

Therefore, I won't be able to perform packet capture any time soon..

but thanks very much for your offer!!

Regards,

Sean

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: