02-16-2012 11:30 AM - edited 03-07-2019 04:59 AM
ISSUE: Can't ping the gateway of other VLAN's, which is causing a problem getting DHCP from Active Directory.
I have a straight forward config in my test lab. I have an ASA5520 (3 vlans) and Cisco layer2 Swtich. I have a total of 3 VLAN's:
Vlan0010 - 10.10.10.1 (gateway)
Vlan0020 - 10.10.20.1 (gateway)
Vlan0030 - 10.10.30.1 (gateway)
Vlan 30 can ping with other machines in the test lab through Vlan 20 and Vlan 10. When I give a machine a static address, I can authenticate to my Active Directory DC regardless of the VLan. When I remove the static address and attempt to connect via DHCP, it fails. All the subnets are configured accordingly, but the PC's in the vlan0020 and vlan0010 do not get address. I can not ping the gateway of other Vlan's, but I can ping the machines within the Vlans. I can however get DHCP address from machines inside the VLAN30.
I have created the IP helper command on the VLan's on the switch (ip helper-address 10.10.30.2), and have added the dhcprelay server 10.10.30.2 vlan0030 command on the ASA.
I need to be able to communicate with the gateway's so I can get DHCP from machines outside the Vlans my Actice Directory DC resides.
Vlan0030 - DHCP server, machines on this VLAN get get DHCP, can't ping gateway of Vlan0020 or Vlan0010
Vlan0020 - These machines can't get DHCP address or ping the Vlan0030 gateway. Can ping machines in different VLans.
Vlan0010 - These machines can't get DHCP address or ping the Vlan0030 gateway. Can ping machines in different VLans.
ASA Config provided below.
02-16-2012 12:18 PM
I have created the IP helper command on the VLan's on the switch (ip helper-address 10.10.30.2)
If this switch is layer-2 only then you don;t need the IP helper address command
also, can you add "dhcprelay enable inside" to the firewall and test again?
HTH
02-16-2012 12:56 PM
Reza_Sharifi
Thanks for the reply. I checked the ASA, and I do not have the option for 'inside'. when i run the command dhcprelay enable ...I have options:
Management
Outside
VLAN0010
VLAN0020
VLAN0030
02-16-2012 02:59 PM
Sounds like your trunking setup is incorrect or not working correctly between the FW and the switch.Maybe post the relevant parts of the FW and switch configs for the port between them.
02-17-2012 05:29 AM
glen.grant
I probably should have added that in the first place. I have listed both (what i think are) relevant areas of the switch and firewall. If you need to take a look at the entire ASA config, I attached that with my initial posting.
Switch
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 20
!
interface FastEthernet0/4
switchport access vlan 10
!
interface FastEthernet0/5
switchport access vlan 10
!
interface FastEthernet0/6
!
interface FastEthernet0/7
switchport access vlan 10
!
interface FastEthernet0/8
!
interface FastEthernet0/9
switchport access vlan 30
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport access vlan 30
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN10
ip helper-address 10.10.30.2
no ip directed-broadcast
no ip route-cache
!
interface VLAN20
ip helper-address 10.10.30.2
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN30
ip helper-address 10.10.30.2
no ip directed-broadcast
no ip route-cache
shutdown
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.10
vlan 10
nameif vlan0010
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2.20
vlan 20
nameif vlan0020
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/2.30
vlan 30
nameif vlan0030
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list capin extended permit ip any 10.10.20.0 255.255.255.0
access-list capin extended permit ip 10.10.20.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.10.0 255.255.255.0
access-list capin extended permit ip 10.10.10.0 255.255.255.0 any
access-list capin extended permit ip 10.10.30.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.30.0 255.255.255.0
access-list permit extended permit icmp interface vlan0030 any
access-list permit extended permit icmp interface vlan0010 any
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcprelay server 10.10.30.2 vlan0030
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
ASA
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.10
vlan 10
nameif vlan0010
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2.20
vlan 20
nameif vlan0020
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/2.30
vlan 30
nameif vlan0030
security-level 100
ip address 10.10.30.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list capin extended permit ip any 10.10.20.0 255.255.255.0
access-list capin extended permit ip 10.10.20.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.10.0 255.255.255.0
access-list capin extended permit ip 10.10.10.0 255.255.255.0 any
access-list capin extended permit ip 10.10.30.0 255.255.255.0 any
access-list capin extended permit ip any 10.10.30.0 255.255.255.0
access-list permit extended permit icmp interface vlan0030 any
access-list permit extended permit icmp interface vlan0010 any
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcprelay server 10.10.30.2 vlan0030
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
02-22-2012 07:46 AM
Ok..This was resolved. For anyone that has a similar issue, the problem had nothing to do with the switch. I missed a necessary step on the ASA. I did have part of the command but overlooked the rest of it.
dhcprelay server 10.10.30.2 vlan0030
From the config listed in my earlier post, you can see I added the dhcprelay command already. What I didn't do was add the enable command. Below are commands that needed to be run. You need to enable the command for every vlan on your network that requires DHCP from your Windows network.
dhcprelay server 10.10.30.2 vlan0030
dhcprelay enable vlan0010
dhcprelay enable vlan0020
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide