I have seven subnets that previously used public IPs exclusively w/helper addresses configured on a router that I *do not* control.
We recently installed an ASA 5550 to do nothing more than perform NAT for five on the subnets, the other two retain the use of public IPs.
The DHCP server we planned to use is on a public IP subnet. The ethernet port on this box is configured for Dot1q trunking and listens on all ports for DHCP broadcasts.
The problem, or peculiarity, I'm seeing is that the DHCP requests hit the server twice--once as a simple broadcast and again after passing through the ASA, hitting the router and being directed by the helper address. (all this in spite of using the ASA as an interim DHCP server)
I could request that the helper addresses be removed, but my first thought was to simply block port 67 and 68 from passing through the ASA. I have applied the "nodhcpout" acl to both inside and outside interfaces, but the traffic still passes. I have also disabled same-security traffic with the same result.
Any insight is appreciated. Here's the config from one context:
nat/vlan540# sh run
ASA Version 8.0(4) <context>
ip address xxx.xxx.xxx.2 255.255.255.128
ip address 172.18.0.1 255.255.0.0
dns domain-lookup 54lowerout
dns server-group DefaultDNS
access-list allow extended permit ip any any
access-list nodhcpout extended deny udp any any eq bootps
access-list nodhcpout extended deny udp any any eq bootpc
access-list nodhcpout extended permit ip any any
pager lines 24
logging trap alerts
logging host 54lowerout x.x.x.x
logging message 305012 level alerts
logging message 305011 level alerts
logging message 305010 level alerts
logging message 305009 level alerts
mtu 54lowerout 1500
mtu 54lowerin 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (54lowerout) 1 x.x.x.x netmask 255.255.255.128
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...