• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

Cisco PIX501 DHCP Problems

We are using a Cisco PIX501 in a 30+ user environment with SBS2003.

SBS2003 is the DNS server and the PIX is the DHCP server.

Problem we're having, which started about a week ago, is that when a client computer gets their address through DHCP they cannot ping the internal IP of the PIX and therefore cannot access the internet. The settings they get via the DHCP server are all set ok.

What I've noticed:
If I manually assign the IP address to the comp using the same address I've gotten via DHCP the problem is still there. If I assign a static address that's not the same and quite a bit higher (but still within the DHCP Pool) then I can ping the PIX and get WAN connection fine.

I.E. 192.168.1.68 won't work but 192.168.1.98 will work and the DHCP Pool is 192.168.1.10 - 192.168.1.100.

Any ideas?  Nothing inside the PIX looked unusual (logs, firewall settings, etc.)... I did unplug the PIX to reboot as well as refreshed config settings.
0
Tercestisi
Asked:
Tercestisi
  • 2
2 Solutions
 
patrickrwCommented:
Can you post the running config for the pix501. I've got the same pix device and never had any problems. I believe though that the pix can only issue 50 DHCP addresses. (maybe that was an earlier version of the fireware but i think mine would only give out 50 DHCP addresses.

Heres a couple of things to check:
Are they any access points or wireless routers that could be handing out DHCP and screwing up your DHCP from the pix? I've had this happen before especially when using cheap linksys wireless routers, a power outage has reset some of them before and they would end up giving out DHCP

Also might want to look into allowing SBS'03 to give out DHCP instead of the Pix. Sometimes thats easier to configure, especially if you don't have Cisco config experience. Really depends on your skill level.

Also could be a subnetting problem. Unlikely but make sure the IP addresses are in the correct subnet and there isnt some werid subnetting going on.
0
 
KutyiCommented:
I would move your DHCP to the server and remove it from the PiX.  SBS DHCP options offer you more options for DHCP and helps to better integrate with DNS on the server.  It will take less then 15 minutes to implement and I am sure you will be happy you did.
0
 
TercestisiAuthor Commented:
Thanks for the insights guys.

I am admittedly a little green in the Cisco arena, VPN IPSec policies specifically.

I see from looking in the pix that there is an IPSec rule that is likely causing the problem (from GUI):
#1 protect 10.1.1.0/24   10.1.2.64/27 ip inside:dynamic-20
#1 protect outside:any  10.1.2.64/27 ip inside:dynamic-20

The 10.1.1.0/24 is remote office network and the 10.1.2.64/27 are addresses on our network and are part of the 10.1.2.10 - 10.1.2.100 DHCP address pool.

Those internal addresses in the IPSec rules show a range of 10.1.2.65 - 10.1.2.94 which happens to be the addresses that do not work if assigned via DHCP. Can someone explain what these rules mean and that the IPSec Rules in general mean? I Googled but didn't find much that really explains what is going on here.
0
 
TercestisiAuthor Commented:
Oh, and I will take into strong consideration the moving of the DHCP server role to SBS03.

I'm just curious as to what those rules mean?  A previous admin set those up with a sister company and I'm not familiar enough with site-to-site IPSec protected VPN tunnels.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now