Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa 8.6 static command

Am trying the following command on ASA 8.61, however it appears the static command no longer works.  Would appreciate any insights.

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

Thanks.

Everyone's tags (5)
31 REPLIES
VIP Purple

asa 8.6 static command

the NAT-configuration completely changed beginning with v8.3. Here are some examples:

https://supportforums.cisco.com/docs/DOC-9129


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: asa 8.6 static command

sorry i am lost

We are trying to get our dhcp server (public.x.x.x) on vlan 1 with 10.25.0.1 scope to service the asa on vlan 3.

We input the following:

dhcprelay server public.x.x.x outside

dhcprelay enable inside

dhcprelay setroute inside

I thought the next step was to create a static from the inside to outside for the IP address of the inside interface. I thought this would allow the inside interface to relay the dhcp broadcast to your dhcp server with its private address. The command on pre8.3 was something like:

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

VIP Purple

asa 8.6 static command

I'm pretty sure you don't need NAT for the dhcprelay to work. NAT is for traffic passing through the ASA, but with dhcprelay the ASA receives the packets and generates a new request based on the received packet. There shouldn't be any NAT be involved.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

asa 8.6 static command

Hi Bro

Since your LAN users are on the INSIDE and your DHCP Server is on the OUTSIDE, you'll need to enable DHCP RELAY in your Cisco ASA FW. Here a guide http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Thanks Ramraj,

I have the options set as the gui suggests my external dhcp server is at 165.234.128.9 and i have a scope setup on it for 10.25.0.0:

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside

dhcprelay enable inside

Within that link you mention above i am having trouble with the ip route statement:

!--- This command creates a static route in order to
!--- route the reply packets to the DHCP relay interface.

ip route 10.1.1.0 255.255.255.0 10.2.1.1

the command ip route is not available apparantly on ver 8.6, below is what happens:

ciscoasa(config)# ip route
                     ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# ip ?

configure mode commands/options:
  audit   Configure the Intrusion Detection System
  local   Define a local pool of IP addresses
  verify  Configure Unicast Reverse Path Filtering on an interface

VIP Purple

Re: asa 8.6 static command

the "ip route" is no command that you have to enter on the ASA. The config you posted on

19.07.2012, 23:34 is exactly what you need to enable a DHCP relay. Nothing more is needed.

If it still doesn't work, the reason will probably be somewhere else. You could try to capture the packets to see how far they get.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

Re: asa 8.6 static command

And just to make sure we're talking about the same scenario:

Your clients are directly connected to the inside interface on the ASA without a L3-instance between them?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: asa 8.6 static command

The ASA outside interface is connected to cisco 4507 gig 2/45, the inside interface is connected to same cisco 4507 gig 2/46.  The client is connected to the same 4507 in gig 1/20.

gig 2/46 and gig 1/20 have the following config line:

switchport access vlan 3

New Member

Re: asa 8.6 static command

didn't see your earlier post.  Was on tech support with ciso and they did setup a packet trace.  They found the packets are getting to the dhcp server but when the server replies they are being discarded. Cisco thought it was configuration of the external dhcp server but we have not found a solution that works yet.

VIP Purple

Re: asa 8.6 static command

what is the log message when the packets are discarded?

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: asa 8.6 static command

example of what we see in the log:

%ASA-7-710005: UDP request discarded from 165.234.128.9/67 to outside:255.255.255.255/68

New Member

Re: asa 8.6 static command

Attached are the packet trace files.

Filtering with ip.addr==165.234.128.9  should show what is happening.

VIP Purple

Re: asa 8.6 static command

In the asp.pcap, there are only DHCP-offers with client-addresses in the 165.234.128.0-network. Are these captures really related to the problem? The DHCP-server should offer an IP in the 10.25.0.0/20 network.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: asa 8.6 static command

That is a question we have been asking ourselves too.

When filtering asp.pcap with ip.addr==165.234.128.9 on row No. 103 we find the mac address of the client we are trying to get an ip address on (64:31:50:95:43:2c).

We have 2 scopes on our dhcp server.  How does a client on the inside of the ASA know which scope to pick from and for the matter how does one on the outside know which scope to pick from?

VIP Purple

Re: asa 8.6 static command

The relay-agent includes his own ip address from that interface that received the DHCP-request. The DHCP-server then searches for a matching scope. You have a DHCP-Pool starting at 10.25.0.0?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: asa 8.6 static command

The scope is 10.25.0.0

starting ip is 10.25.0.1 ending ip is 10.25.15.254

VIP Purple

Re: asa 8.6 static command

To get more information where the problem is, I would set up an additional DHCP-Server (an IOS-router or -switch) with the same scope and add this server to the ASA ("dhcprelay server 165.234.128.X outside"). When there are two DHCP-servers specified, both should get the request and we can see if the second server answers in a way that the ASA accepts.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: asa 8.6 static command

Hi Bro

Your DHCPRELAY configuration is wrong. You are currently having this, which is wrong;

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside <--- This is your DHCP Scope not your DHCP Server

dhcprelay enable inside

Instead, you should have this;

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Thanks for your continued attention.

The configuration you suggest was our original configuration:

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

However we are unable to get an ip address on the client.

We did setup another dhcp server and put it on the inside, changed the config  to no dhcprelay.... .  And the client was able to get an ip and had internet access.

So we have been successful in using the ASA's dhcp server, also successful in using an stand-alone dhcp server located on the inside of the ASA (with the ASA's dhcp server disabled).

But when we try to get the dhcp server on the outside as you have stated in the above commands we have not had success.

Re: asa 8.6 static command

Hi Bro

Why don't you show us your show run, and we can assist you further

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Here is the running-config:

ciscoasa#

ciscoasa# show running-config

: Saved

:

ASA Version 8.6(1)

!

hostname ciscoasa

enable password ibqCJZNHhOXYLjS3 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 165.234.128.203 255.255.248.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.25.0.1 255.255.240.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

object-group network wireless

network-object 10.25.0.0 255.255.255.0

access-list outbound extended permit ip any any

access-list outbound extended permit icmp any any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic any interface

access-group outbound in interface outside

access-group outbound in interface inside

access-group outbound out interface inside

route outside 0.0.0.0 0.0.0.0 165.234.128.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

dhcprelay server 165.234.128.9 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

csd image disk0:/csd_3.5.2008-k9.pkg

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

username admin password RSRFwwciBS8x/1/M encrypted

username dsu password RSRFwwciBS8x/1/M encrypted privilege 15

username pix password n5jkqOP4vOe/4pzS encrypted

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 10

  subscribe-to-alert-group configuration periodic monthly 10

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:49ca48250c21eec0abd300facb57c935

: end

ciscoasa#

Re: asa 8.6 static command

Hi Bro

Please do this, and let me know the outcome;

interface GigabitEthernet0/1
  no ip address 10.25.0.1 255.255.240.0
  ip address 10.25.0.1 255.255.255.0

no nat (inside,outside) after-auto source dynamic any interface

no nat-control

no access-group outbound out interface inside

no dhcpd address 192.168.1.2-192.168.1.254 management

route outside 165.234.128.9 255.255.255.255 165.234.128.2 // Try with this, and without this //

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Did as above with exception of , no nat-control.

following was the output when i tried:

ciscoasa(config)# no nat
ERROR: % Incomplete command
ciscoasa(config)# nat ?

configure mode commands/options:
  (               Open parenthesis for (,)
                  pair where is the Internal or prenat
                  interface and is the External or postnat
                  interface
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
ciscoasa(config)# nat

New Member

Re: asa 8.6 static command

Hi Todd

The nat-control command is deprecated.

 

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

Regards Craig

Re: asa 8.6 static command

Hi Bro

Is everything OK now?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Have been unsuccessful in getting clients on the inside of the ASA to receive an ip address from the DHCP Server outside the ASA.

VIP Purple

Re: asa 8.6 static command

Have you tried a different DHCP-Server on the outside to see what happens?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: asa 8.6 static command

Can you paste here the output of the command "debug dhcprelay packet"

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: asa 8.6 static command

Here is the output of debug chcprelay packet:

ciscoasa# debug dhcprelay packet

debug dhcprelay packet enabled at level 1

ciscoasa# DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

DHCPRA: relay binding found for client 6431.5095.432c.

DHCPD: setting giaddr to 10.25.0.1.

dhcpd_forward_request: request from 6431.5095.432c forwarded to 165.234.128.9.

7786
Views
0
Helpful
31
Replies