PIX/ASA outside ip address dhcp!

Unanswered Question
Jul 31st, 2008

Hi

I can't get through device to internet access using an ASA ver7.2 when using "ip address dhcp setroute". However it works when I use a PIX ver6.3!

Anyone come across this before or know how to get it to work through the ASA?

Below are the output from the "show route" and configs from each device:

PIX

pixfirewall#

pixfirewall# sh route

outside 0.0.0.0 0.0.0.0 192.168.1.1 1 DHCP static

inside 10.9.0.0 255.255.0.0 10.9.1.1 1 CONNECT static

outside 80.64.14.128 255.255.255.255 80.64.14.128 1 CONNECT static

pixfirewall#

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.9.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location ISA2004 255.255.0.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

dhcpd address 10.9.1.3-10.9.1.33 inside

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

END

+++++++++++++++++++++++++++++

ASA

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 10.9.0.0 255.255.0.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

ciscoasa#

ciscoasa#

ASA Version 7.2(4)

!

hostname ciscoasa

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.9.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

http 10.9.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.9.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd auto_config outside

!

dhcpd address 10.9.1.3-10.9.1.33 inside

dhcpd enable inside

!

username cisco password xxx encrypted privilege 15

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Mark Yeates Thu, 07/31/2008 - 09:19

Vince,

Try adding the "dhcpd auto_config outside interface inside" command. That is the only thing I see different from the working ASA's that I have configured in the past.

HTH,

Mark

vince.maxwell Thu, 07/31/2008 - 12:49

Hi Mark

I tried applying what you advised but it didn't make any difference. The DNS info was being pushed to the internal LAN clients.

The issue is a routing problem. The routing tables for the old PIX and the ASA generate different default/static routes!

Any other suggestions?

dentt Thu, 07/31/2008 - 14:02

Remove the dhcpd config from the outside interface.

vince.maxwell Thu, 07/31/2008 - 14:08

Hi the zero route is generated via the "setroute" keyword under the interface e0/0 "ip address dhcp setroute". If I remove that it doesn't have any route out at all!

The setup is via an DLink inline ADSL modem/router then into the ASA, with the Dlink having a LAN inteface address 192.168.1.1 which you see as the next hop. The ASA is picking up the public IP addressing but dosen't seem to be able to route anything, unlike the PIX which could.

Actions

Login or Register to take actions

This Discussion

Posted July 31, 2008 at 8:36 AM
Stats:
Replies:4 Avg. Rating:
Views:2342 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446