I have a 2621 with a WIC-1ADSL that connects to my ISP. Since the 2621 has 2 ethernet ports, I wanted to setup a network on the second ethernet port for testing things such as VPN into my network via my ASA5505. I have a DHCP pool set on the particular network but cannot get a client to get an address from the router. I think I might have an ACL that is blocking or need an ACL to allow bootp on the interface. Here is the config:
Current configuration : 4144 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname r01 ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 SECRET
enable password 7 password
! clock timezone Central -6 aaa new-model ! ! aaa authentication login default local aaa authentication login local_auth local aaa authorization commands 15 default local aaa session-id common ip subnet-zero no ip source-route no ip gratuitous-arps ip options drop ip cef ip cef accounting per-prefix non-recursive prefix-length ! ! ip dhcp excluded-address 10.1.100.1 10.1.100.3 ! ip dhcp pool DHCP_POOL network 10.1.100.0 255.255.255.0 default-router 10.1.100.1 dns-server 22.214.171.124 126.96.36.199 ! ip audit po max-events 100 vpdn enable !
username XXXXX password 7 password
! ip tcp selective-ack ip tcp mss 536 ip tcp window-size 5360 ip ssh time-out 60 ip ssh authentication-retries 2
! interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface ATM0/0 [connected to phone line] description Physical DSL Interface no ip address no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache atm ilmi-keepalive dsl operating-mode auto pvc 0/XX encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0/0 [connected to outside interface of ASA5505] description Frontier Communication Static IP ip address aa.bb.cc.dd 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto hold-queue 100 out ! interface FastEthernet0/1 description Intermediate DMZ ip address 10.1.101.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto no cdp enable hold-queue 100 out !
interface Dialer1 ip address negotiated ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username username password 7 password
! ip nat inside source list 101 interface Dialer1 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! logging trap debugging logging facility local2 access-list 101 permit udp any any eq bootpc dialer-list 1 protocol ip permit !
When I try to get an ip address from a client, I never receive one. But when I issue dhcp server statistics, I can see packets hitting the interface:
Sorry, just wanted to specify that I have everthing on the inside of the ASA setup. The configuration would look like:
2621 --- Test network (10.1.100.x)
All I want the 2621 to do is hand out dhcp to the 10.1.100.x network. Its address is 10.1.100.1, there is a WAP200 at 10.1.100.3 and a PC for testing on 10.1.100.2. The WAP200 does not do dhcp so I am reliant on the 2621 and thus the exclusion command for the ip pool for my devices.
I removed ACL 101 and the nat statement and issued the ACL 2 commands as you stated. It still does not work. I have removed the ACL 2 now also and see if it works without anything, just free and open and it still does not work.
I can only telnet or ssh into the 2621 so not sure if the debug commands will show me anything.
I did get it to work now. Overlooked the fact that my dhcp pool was network 10.1.100.0 and it needed to be 10.1.101.0. Then the router started handing out ip's but not routing/nat to the internet or internal networks. I added:
access-list 100 permit ip 10.1.101.0 0.0.0.255 any
ip nat inside source list 100 interface dialer1 overload
ip nat inside source list 101 interface Dialer1 overload
access-list 101 permit udp any any eq bootpc
This will only nat DHCP replies and nothing else but you don't have an inside DHCP server allocating addresses to the outside world so if you want clients to go on the internet you should change this ACL 101 and just put a standard ACL:
access-list 2 permit 10.1.101.0 0.0.0.255
access-list 2 permit aa.bb.cc.xx 0.0.0.3
Now concerning the DHCP addresses problem, your clients are on the inside interface of the ASA ?
So can you provide the ASA config as well as the output fromthese 2 on the router:
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...