Solved

Cisco PIX 501 DHCP Client problems

Posted on 2004-09-21
7
5,403 Views
Last Modified: 2008-01-09
I'm trying to set up a PIX 501 (running pix os ver 6.3) as the firewall on my home network (dynamic ip cable modem with comcast).  

My problem is that the PIX DHCP client is unable to obtain an ip address from the comcast servers.

Some details:
- My linksys wireless 802.11b/4 port ethernet router is able to obtain DHCP information from comcast with no difficulty
- When I plug the PIX into the above router it has no difficulty obtaining DHCP information
- The PIX is setup in the default factory configuration (I've only changed the name (to fw-GS) and installed/configured PDM ver 3.0)

I tried getting help from comcast and they couldn't/wouldn't help much other than to say that:
"The only ports that may be actively blocked on the Comcast network are 67, 68, 137, 138, 139, 512, 520, and 1080"
It doesn't seem like that would matter but I don't know.

I've run some debugging info it is attached here (the debug info for the firewall obtaining a ip from comcasts servers is a bit messy and possibly incomplete, let me know if you need any additional info):

Working Router Debug info:
This is the debug info from when the firewall was trying to obtain an ip address from my router (router ip address 10.10.10.220)

w-GS(config)# debug dhcpc packet                                
fw-GS(config)# ip address outside dhcp                                      
DHCP: delete ip lease for interface outside                                          

DHCP: deleting entry a93874 10.10.10.102 from list                                                  
Temp IP addr: 10.10.10.102  for peer on Interface: outside                                                          
Temp  sub net mask: 255.255.255.0                                
   DHCP Lease server: 10.10.10.220, state: 3 Bound      
ssh timeout 5 IP addr: 0.0                
   DHCP transaction id: 0xDB8431ace: unknow                    
   Lease: 604800 secs,  Renewal: 302400 secs,  Rebind: 529200 secs                                    
global (outside) 1 int      
   Temp default-gateway addr: 10.10.10.220er att                              
dhc
   Next timer fires after: 227712 seconds                                        
   Retry count: 0   Client-ID: cisco-000d.bda1.8a9d-outsideore --->              
   DHCP Le          
DHCP: SDiscover: sending 272 byte length DHCP packet
DHCP: SDiscover 272 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0
DHCP client msg received, fip=10.10.10.220, fport=67
DHCP: Received a BOOTREP pkt
DHCP: offer received from 10.10.10.220
DHCP: SRequest attempt # 1 for entry:
DHCP: SRequest- Server ID option: 10.10.10.220
DHCP: SRequest- Requested IP addr option: 10.10.10.102
DHCP: SRequest placed lease len option: 604800
DHCP: SRequest: 290 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcp client discover already in progress

DHCP client msg received, fip=10.10.10.220, fport=67
DHCP: Received a BOOTREP pkt
DHCP Proxy Client Pooling: ***Allocated IP address: 10.10.10.102....dhcp client discover already in progress
dhcp client discover already in progress

DHCP: allocate request
Allocated IP address = 10.10.10.102,  netmask = 255.255.255.0, gateway = 10.10.10.220




Not working comcast server debug info:
This is a section of the debug info from when the firewall was trying to obtain an ip address from the comcast servers.

When I plug my router into the modem instead of the pix, it has no problems obtaining DHCP information.
The ip address for the comcast servers is (I'm going from memory, if you want the exact address let me know) 67.xxx.xxx.xxx
 
DHCP: QScan: Purgin
DHCP: zapping entry in DHC_PURGING state for outsidey aa7174 0.0.0.0 from l
   DHCP Lease server: 0.0.0.
DHCP: new entry. add to queuedr: 0.0.0.0  for peer on Inte
DHCP: SDiscover attempt # 1 for entry:41844F: QScan: Timed out Sel
Temp  sub
DHCP: SDiscover: sending 272 byte length DHCP packet Lease server: 0.0.0.0, state: 8 Purgingt addr: exi

DHCP: SDiscover 272 bytes 2 seconds   DHCP transac
DHCP Broadcast to 255.255.255.255 from 0.0.0.0t-ID: cisco-000d.bda1.8a9d-outside secs,  Rebi
DHCP client msg received, fip=10.138.128.1, fport=67: SDiscover: sending 272 byte length DHCP packet   R
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0x5C76374cover 272 bytesreceived, fip=10.138.128.
DHCP Broadcast to
DHCP client msg received, fip=10.138.128.1, fport=67eceived a BOOTREP pkt
DHCP client msg received, fip
 
DHCP: SDiscover attempt # 2 for entry: 0.0.0.0, state: 1 Selecting Lease: 0
DHCP: SDiscover: sending 272 byte length DHCP packetaction id: 0x341844Fnt-ID: 0x9e6efc..
   Next timer
DHCP: SDiscover 272 bytesal: 0 secs,  Rebind: 0 se
DHCP Broadcast to 255.255.255.255 from 0.0.0.00d.bda
   Next timer fires after: 2 secondsot
DHCP client msg received, fip=10.138.128.1, fport=67 Client-ID: cisco-000d.bda1.8a9d-outsidemmand failed
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0x26077DE6over: sending 272 byte length DHCP packetto 255.255.255.255
DHCP client msg received, fip=10.138.128.1, fport=672 bytesDHCP client msg received,
DHCP Broadcast to 2
DHCP client msg received, fip=10.138.128.1, fport=67
Temp IP addr: 0.0.0.0  fo

Temp IP addr: 0.0.0.0  f
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0x62FF3E5E  sub net mask: 0
   N
Temp  sub net mask: 0.0.0.0ondsDHCP
DHCP: allocate requestHCP Lease server: 0.0.
DHCP: zapping entry in DHC_PURGING state for outside transaction id: 0x
   DHCP transaction id: 0x341C53
DHCP: new entry. add to queue byt
   Lease: 0 secs,  Renew
DHCP: SDiscover attempt # 1 for entry:6      
DHCP: SDiscover 272 bytesfter
DHCP: SDiscover: sending 272 byte l to 255.25
                     
   DHCP Lea
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secsface: outside seconds8.
   Retr
   DHCP transaction
   No timer running  sub net mask: 0.0
   Retry count: 0   Client-ID:
   DHCP Lease server: 0.0.0.0

DHCP: SDiscover attempt # 3 for entry:er: sendin
   No timer runnin
   DHCP
DHCP: SDiscover: sending 272 byte length DHCP packet
DHCP
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0
DHCP: SDiscover 272 bytes255.255 from 0.0.0.0: QSc
DHCP Broadcast to 255.255.255.255 from 0.0.0.0 pkt Not for us..:  xid: 0xB726
   Retry count
DHCP: allocate request000d.bda1.8a9d-outside
DHCP: zapping entry in DHC_PURGING state for outsideocate

DHCP: SDiscover: sending 272 byte length DHC
DHCP: new entry. add to queueccan: Timed out Selecting sta
DHCP: SDiscover attempt # 1 for entry: in DHC_PURGI
DHCP Broadcast to 255.25
DHCP: SDiscover: sending 272 byte length DHCP packet new entry. add to queueting
DHCP: SDiscover attemp
DHCP: SDiscover 27e                
Temp  sub net mask: 0
DHCP: QScan: Timed o
   DHCP transaction id: 0x344C284 0.0.0.0, state: 1 Sel
DHCP: allo
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secsisting ip lease str = 0xaac52c0x5E6F78E6....
DH
DH
   No timer running secs,
DHCP: zappin
   Retry count: 0   Client-ID:r outsideed, fip=10.138.128.1,

DHCP: SDiscover attempt # 3 for entry:w entry. add to queue
DHCP: Received a
DHCP: SDiscover: sending 272 byte length DHCP packet.8a9d-outside Selecting st
DHCP: SDiscover attempt #
DHCP: SDiscover 272 bytes: SDiscover: sending 272
DHCP client msg received, fip=10.138.128.1, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0x88DE3067
DHCP client msg received, fip=10.138.128.1, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0x88DE3067
DHCP: SDiscover attempt # 2 for entry:
DHCP: SDiscover: sending 272 byte length DHCP packet
DHCP: SDiscover 272 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0
DHCP client msg received, fip=10.138.128.1, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xA13D027En
DHCP client msg received, fip=10.138.128.1, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xA13D027Eo debug
DHCP: SDiscover attempt # 3 for entry:
DHCP: SDiscover: sending 272 byte length DHCP packet
DHCP: SDiscover 272 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcpc
DHCP: allocate request
DHCP: zapping entry in DHC_PURGING state for outside
DHCP: new entry. add to queue
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover: sending 272 byte length DHCP packet
DHCP: SDiscover 272 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0packet


Thank you in advance!
0
Comment
Question by:gurusimran
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12115068
I think you're trying to put a square peg in a round hole here. I'll try to explain:

You should have EITHER:
 Cable Modem --->PIX---> LAN
or
  Cable Modem --->Linksys router---> LAN

Assuming that you want the PIX to take the place of the Linksys router, and ALSO use the wireless features of the Linksys...
On the Linksys, turn OFF DHCP. Plug a LAN port of the Linksys into a LAN port of the PIX (use the uplink port on the Linksys, or a crossover cable). You won't need both the LAN and WAN ports of the Linksys router. Assign its LAN port an IP address that is on the same subnet as your inside interface of the PIX (192.168.1.1 should be the PIX, use 192.168.1.2 for the Linksys) This will let you still get access to the web configuration page of the linksys, it will pass through the DHCP requests for wireless clients, and the PIX will be the DHCP server...

Piece of cake!

I have the exact same setup right here, only I have PIX 515, Linksys WRV54G wireless, and Motorola cable modem...


0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12115080
Probably ComCast's system has learned your router's MAC address, and doesn't want to serve your PIX because it doesn't match.  I'm not sure whether your PIX supports setting its outside MAC address to match the router.  

0
 

Author Comment

by:gurusimran
ID: 12115154
My problem is with my PIX obtaining (DHCP client) an IP address from comcast (cable modem)(when I set it up like this):

Cable Modem --->PIX---> LAN

The PIX has no problem being a DHCP server and giving IP addresses to the computers on my network.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12115311
Then, it may be as PennGwyn suggests, that Comcast's system is holding the MAC address of your router.
You may have to call them and give them a new MAC address, or -- power off the modem for about 5 minutes, hook up the PIX and let it boot up, then power up the modem and then see if it gets an IP address..

0
 

Author Comment

by:gurusimran
ID: 12115483
I'll give that a try and let you know.  Thanks!
0
 
LVL 5

Expert Comment

by:Dragonmen
ID: 12116346
Could also be that you have MAC address blocking, in which case you need to tell the PIX to have same MAC from router.
0
 

Author Comment

by:gurusimran
ID: 12118728
Thanks for all of your help.  All I had to do was unplug the cable modem for 5 mins and plug it back in and everything works great now.  I love it when the simple solution works.

Thank you!!!!!!!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now