Link to home
Start Free TrialLog in
Avatar of dcl1soft
dcl1softFlag for United States of America

asked on

ASA5505 as a DHCP Server

My ASA5505 router (8.2 CLI) appears to be assigning IP Addresses to external clients. Per logging message below.

6      Aug 05 2011      01:11:57      6-604103                              DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (192.168.1.67).

  The Cisco explanation is as such:
%ASA-6-604103: DHCP daemon interface interface_name: address granted
MAC_address (IP_address)
The adaptive security appliance DHCP server granted an IP address to an external client.

I do a SHOW RUN DHCPD and see the following:  I am concerned that this behavior would allow those external clients access to my network. What would cause this? Shouldn't I be concerned?

xxxxxasa(config)# show run dhcpd
dhcpd dns 192.168.1.9
dhcpd lease 5000
!
dhcpd address 192.168.1.10-192.168.1.137 inside
dhcpd enable inside
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

Well, as long as your DHCP is running on ASA, it is supposed to give out ip addresses..
Why do you think its giving addresses to external clients? Dhcp is enabled on the inside. So that means a machine on the inside gets an IP. Ofcours this happens outside the ASA, hence 'external'.
It gives out ip address for inside clients:

 DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (192.168.1.67).
Avatar of dcl1soft

ASKER

Well, my issue is that I am just setting this up and really don;t have more than 3 internal wireless clients that are configured for Dynamic DHCP and and 5ea wired workstations (all with static IPs).

I am just learning this stuff and have gained a huge amount of respect for people who know networking so please bear with me.

    The Overall picture is that I am a very small shop and have spent weeks trying to setup this network.
  I do not have very many workstations. My toplogy consists of the following:

    Cisco ASA 5505 (Base License) Limited to 3 Active VLANs where one of the VLAN can only go out to the Internet.
     So my options are: Inside VLAN
                                   Outside VLAN
                                  3rd Vlan (Based on license, would not be be able to  work with the rest of the Inside Hosts. (My desire was to get this setup as a Wireless only VLAN with IP Addresses for being served only to the Wireless Clients but ran into the Base License limitation).

   
 Network -
                              1ea Bridged DSL Modem (from ISP)
                              Gateway Router - Cisco ASA 5505 - 8.2 CLI, ASDM 6.2
                              Wireless Router = Netgear N750, also known as  WNDR4000

    Wired Network - 1 Windows 2008 R2 Domain Controller / Database Server
                               1 IIS Server (to support a Third Party application - mainly VPN-based processing)
                              5 Workstations
                             
  Wireless Network - 2 ea Latops, 1ea Tablet

  So back to the DHCP question, all of my Wired Network have Static Ips. When encountering the problem discovered , I only have 1 or 2 wireless clients on but  I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.

Please give me your concept thoughts of what could be causing this? And then troubleshooting tips.

Thanks in advance.

 
 

        .

When you say external IPs, you mean IP addresses from your inside subnet?

I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.
Is the wireless secured? Like wpa or wpa2?
Answers:
    The wireless authentication is WPA2-PK AES.

   My ASA5505 is configured as a DHCP server for my internal subnet range and that is what is happenning but I cannot account for the devices that are getting these IP Addresses.

Try changing your password for wifi
I have DHCP disabled on the Wireless Router. It was late last night and I was trying to configure the Wireless Router a couple of ways.
   1) It would be a DHCP Server of its own, assigning IP addresses in the 192.168.2.0 subnet while
the ASA5505 would be assigning IP Addresses in the 192.168.1.0 range.
   Wireless router cabled to to separate port on ASA.
--- That Config seemed to be more smooth (from the Wireless side) but could not create a separate VLAN for it as the Cisco Base license doesn't allow it for what I am trying to do.

  2) The other way I have tried is to rely 100% on the ASA to assign IP addresses on 192.168.1.0 subnet and disable DHCP, RIP on the Netgear router, assign it a static IP on that subnet, ie 192.168.1.2
and cable it to a switch that is coming off the Inside Interface port on the ASA - along with most of the Wired stations.
   This seemed to work, ie the Wireless laptops connected but could not get out to the Internet.

Perhaps I need a Static Route between 192.168.1.1 (the ASA) and the 192.168.1.2 (The Netgear Router)??

The third option that I have been reading albeit more complicated, is to create Multiple subnets on the same ASA Interface.
   Haven't gone there yet but wondering if anyone has experience with that?

Second option looks fine, you dont need to create a route since ASA and Netgear are in the same subnet. Just make sure NAT on ASA is properly configured for your inside subnet. Can you post your config?
You dont need this line:

global (inside) 10 interface
Another thing I should mention, and again it was late (3:30am or so). When I was doing Option 2, I started getting 'Duplicate Ip'  messages on my Wireless devices.
Your inside subnet 192.168.1.0 is quite commonly used, someone probably configured a static IP address on his wireless NIC and it gives conflicts with an IP address from your DHCP pool
I forgot about your wired part of the network, static IP can be configured on any wired client as well
It was strange but the IP Address that came up was 192.168.1.46. (much greater than I see normally within my own network).

   That only wireless connections who  could get an IP Address though are those could authenticate to my Wireless network, theoretically, correct?
Yes, you need to authenticate first before obtaining IP address
Hi fquasimzade ,
  I am in the office now looking at things. Just wondering if you are going to be around.
ASKER CERTIFIED SOLUTION
Avatar of dcl1soft
dcl1soft
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Through tenacious digging, I found my own solution but needed the encouragement and tips along the way to Debug my problem.