06-04-2014 02:57 PM - edited 02-21-2020 07:40 PM
I have an asa 5505 connected to another asa in the main site. the ipsec vpn is established and on the remote client side I can use a static IP addreess in that subnet and browse the web and access and ping with reply the main site on the inside.
However, I cannot receive any ip from dhcp although it is enabled on the asa 5505. If I put in a static IP all is well but that isnt realistic. Here's the config on the 5505. Thanks.
ASA Version 9.1(4)
!
hostname ASA5505
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
description Access Point
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.25.40.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 15.15.15.35 255.255.255.0
!
boot system disk0:/asa914-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.25.40.0_24
subnet 10.25.40.0 255.255.255.0
object network 10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network 10.1.0.0
subnet 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.25.40.0 255.255.255.0 any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list outside_cryptomap extended permit ip 10.25.40.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.25.40.0_24 NETWORK_OBJ_10.25.40.0_24 destination static 10.1.0.0 10.1.0.0 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 15.15.15.3. 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.0.0 255.255.255.0 inside
http 10.1.11.0 255.255.255.0 inside
http 10.25.40.0 255.255.255.0 inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 15.15.15.3.250
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
management-access inside
vpnclient server 15.15.15.3.250
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup L2TUN password
vpnclient username L2LVPN password
dhcpd auto_config outside
!
dhcprelay server 10.1.0.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_15.15.15.3. internal
group-policy GroupPolicy_15.15.15.3. attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 15.15.15.3. type ipsec-l2l
tunnel-group 15.15.15.3. ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect scansafe https-pmap
parameters
default group httpstraffic
https
policy-map global_policy
description cws-http-class
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
policy-map type inspect scansafe cws_https-pmap
parameters
default group httpstraffic
https
policy-map type inspect scansafe cws_http_pmap
parameters
default group httptraffic
http
policy-map type inspect scansafe http-pmap
parameters
default group httptraffic
http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-721.bin
no asdm history enable
Solved! Go to Solution.
06-04-2014 04:09 PM
I haven't had to do this myself but a post elsewhere on this site (link) describes how one can make it work.
Unfortunately you need to static 1-1 NAT for your local site's outside address but in your case that interface is itself DHCP-addressed.
Another alternative would be to run a DHCP server on the 5505 itself vs. relaying back to your main DHCP server.
06-04-2014 04:09 PM
I haven't had to do this myself but a post elsewhere on this site (link) describes how one can make it work.
Unfortunately you need to static 1-1 NAT for your local site's outside address but in your case that interface is itself DHCP-addressed.
Another alternative would be to run a DHCP server on the 5505 itself vs. relaying back to your main DHCP server.
06-04-2014 05:23 PM
Thanks for the reply. How do you see the outside interface as a DHCP addressed interface? Its set as static - 15.15.15.35, unless I'm looking at it wrong?
06-04-2014 10:45 PM
Ah sorry - my mistake on that bit. You're right. I was incorrectly reading the "dhcpd auto_config outside" statement.
In that case you should be able to follow the guidelines in the linked document.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: