Solved: Re: Cisco ASA 5505 - outside can't DHPC as router use same range

frankdahlin · ‎12-16-2011

Hi

Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC.

(Or i guess its not as the router use the same ip range as ASA does inside).

I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside".

So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".

I tried to change the inside range of the ASA but if I change the inside IP i loose connection.

(Had to restore factory-default useing the console).

I guess I could setup another range using the console, but how?

How can I setup this test net?

Julio Carvajal · ‎12-20-2011

Hello Frank,

For the DHCP to work:

dhcpd adresss 192.168.2.2 192.168.2.254 inside

dhcpd enable inside

dhcpd dns 4.2.2.2 interface inside

For the PC on the inside to be able to access ASDM

http 0 0 inside

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-16-2011

Hello Frank,

Correct, you cannot have the same ip address on two interfaces because the ASA got to divide the broadcast domain (routed mode)

So you need to change the DCHP scoope address ( Ip address and DHCP configuration on the router) or change the inside interface of the ASA.

Option 1:

On the ASA

vlan 1

no ip add

ip add 192.168.2.1 255.255.255.0

Option2:

On the router ( lets say port 0/1 is connected to the ASA)

Interface ethernet 0/1

no ip add

ip add 192.168.2.1 255.255.255.0

ip dhcp pool Inside_Firewall

network 192.168.3.0 255.255.255.0

default-router 192.168.2.1

ip dhcp excluded-address 192.168.2.1

This two solutions will do it for you..

Please rate helpful hosts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

frankdahlin · ‎12-19-2011

Thanks.

The commands seems to work (Except it should be "interface vlan 1" to be accepted).

- But still no working asa.

The sesson:

ciscoasa(config)# vlan 1

^

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# interface vlan 1

ciscoasa(config-if)# no ip add

WARNING: DHCPD bindings cleared on interface 'inside', address pool removed

ciscoasa(config-if)# ip add 192.168.2.1 255.255.255.0

ciscoasa(config-if)#

However Im still not able to connect. Both 192.168.2.1 and 192.168.1.1 did not respond.

I then tried a reboot (turned the asa on/off).

It showed this error during boot:

ciscoasa> ERROR: Failed to apply IP address to interface Vlan2, as the network overlaps with interface Vlan1. Two interfaces cannot be in the same subnet.

It seems the IP change command for vlan1 was accepted - how can i read out current setting?

Julio Carvajal · ‎12-19-2011

Hello Frank,

You did not save the changes so as soon as you rebooted the ASA it will go to the last configuration saved ( the one with the issue)

What do you mean you cannot connect from vlan 1 to vlan 2, do you have nat configured to accomplish that?

Can you share the configuration file with the changes I have asked you to make.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

frankdahlin · ‎12-19-2011

If I need to save I did not. (I have not used the console before).

Found the: "write memory" and reload command.

I cant connect to the asa using ADSM-IDM Launcher (from PC connected to the inside lan).

It seems that the asa DHPC server does not work.

And: show running-config

ciscoasa# show running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

no ip address

!

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5085ad55b43198c7490b2edfee450906

: end

Julio Carvajal · ‎12-19-2011

Hello Frank,

Please make the following changes and let me know the result:

no http 192.168.1.0 255.255.255.0 inside

no dhcp-client client-id interface outside

no dhcpd auto_config outside

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

Hope this helps.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

frankdahlin · ‎12-20-2011

Hi Julio,

The ADSM-IDM Launcher is still unable to connect.

And the PC connected to the inside ports still dont get a IP from the asa.

show running-config:

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:050b5d46b0af856b0c016c5ea4b4f9b8

: end

Julio Carvajal · ‎12-20-2011

Hello Frank,

For the DHCP to work:

dhcpd adresss 192.168.2.2 192.168.2.254 inside

dhcpd enable inside

dhcpd dns 4.2.2.2 interface inside

For the PC on the inside to be able to access ASDM

http 0 0 inside

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

frankdahlin · ‎12-20-2011

Thanks that did the magic. I now got a IP for the PC and the asa got a IP from my router.

Just for future references here are the working commands:

ciscoasa(config)# dhcpd address 192.168.2.2-192.168.2.254 inside

Warning, DHCP pool range is limited to 32 addresses, set address range as: 192.168.2.2-192.168.2.33

ciscoasa(config)# dhcpd enable inside

ciscoasa(config)# dhcpd dns 4.2.2.2 interface inside

ciscoasa(config)# http 0 0 inside

Julio Carvajal · ‎12-20-2011

Hello Frank,

That is something great to hear.

Have a wonderful day,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC