Avatar of dcl1soft
Flag for United States of America asked on

ASA5505 as a DHCP Server

My ASA5505 router (8.2 CLI) appears to be assigning IP Addresses to external clients. Per logging message below.

6      Aug 05 2011      01:11:57      6-604103                              DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (

  The Cisco explanation is as such:
%ASA-6-604103: DHCP daemon interface interface_name: address granted
MAC_address (IP_address)
The adaptive security appliance DHCP server granted an IP address to an external client.

I do a SHOW RUN DHCPD and see the following:  I am concerned that this behavior would allow those external clients access to my network. What would cause this? Shouldn't I be concerned?

xxxxxasa(config)# show run dhcpd
dhcpd dns
dhcpd lease 5000
dhcpd address inside
dhcpd enable inside
RoutersNetwork Management

Avatar of undefined
Last Comment

8/22/2022 - Mon

Well, as long as your DHCP is running on ASA, it is supposed to give out ip addresses..
Ernie Beek

Why do you think its giving addresses to external clients? Dhcp is enabled on the inside. So that means a machine on the inside gets an IP. Ofcours this happens outside the ASA, hence 'external'.

It gives out ip address for inside clients:

 DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Well, my issue is that I am just setting this up and really don;t have more than 3 internal wireless clients that are configured for Dynamic DHCP and and 5ea wired workstations (all with static IPs).

I am just learning this stuff and have gained a huge amount of respect for people who know networking so please bear with me.

    The Overall picture is that I am a very small shop and have spent weeks trying to setup this network.
  I do not have very many workstations. My toplogy consists of the following:

    Cisco ASA 5505 (Base License) Limited to 3 Active VLANs where one of the VLAN can only go out to the Internet.
     So my options are: Inside VLAN
                                   Outside VLAN
                                  3rd Vlan (Based on license, would not be be able to  work with the rest of the Inside Hosts. (My desire was to get this setup as a Wireless only VLAN with IP Addresses for being served only to the Wireless Clients but ran into the Base License limitation).

 Network -
                              1ea Bridged DSL Modem (from ISP)
                              Gateway Router - Cisco ASA 5505 - 8.2 CLI, ASDM 6.2
                              Wireless Router = Netgear N750, also known as  WNDR4000

    Wired Network - 1 Windows 2008 R2 Domain Controller / Database Server
                               1 IIS Server (to support a Third Party application - mainly VPN-based processing)
                              5 Workstations
  Wireless Network - 2 ea Latops, 1ea Tablet

  So back to the DHCP question, all of my Wired Network have Static Ips. When encountering the problem discovered , I only have 1 or 2 wireless clients on but  I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.

Please give me your concept thoughts of what could be causing this? And then troubleshooting tips.

Thanks in advance.




When you say external IPs, you mean IP addresses from your inside subnet?

I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.
Ernie Beek

Is the wireless secured? Like wpa or wpa2?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

    The wireless authentication is WPA2-PK AES.

   My ASA5505 is configured as a DHCP server for my internal subnet range and that is what is happenning but I cannot account for the devices that are getting these IP Addresses.


Try changing your password for wifi

I have DHCP disabled on the Wireless Router. It was late last night and I was trying to configure the Wireless Router a couple of ways.
   1) It would be a DHCP Server of its own, assigning IP addresses in the subnet while
the ASA5505 would be assigning IP Addresses in the range.
   Wireless router cabled to to separate port on ASA.
--- That Config seemed to be more smooth (from the Wireless side) but could not create a separate VLAN for it as the Cisco Base license doesn't allow it for what I am trying to do.

  2) The other way I have tried is to rely 100% on the ASA to assign IP addresses on subnet and disable DHCP, RIP on the Netgear router, assign it a static IP on that subnet, ie
and cable it to a switch that is coming off the Inside Interface port on the ASA - along with most of the Wired stations.
   This seemed to work, ie the Wireless laptops connected but could not get out to the Internet.

Perhaps I need a Static Route between (the ASA) and the (The Netgear Router)??

Your help has saved me hundreds of hours of internet surfing.

The third option that I have been reading albeit more complicated, is to create Multiple subnets on the same ASA Interface.
   Haven't gone there yet but wondering if anyone has experience with that?


Second option looks fine, you dont need to create a route since ASA and Netgear are in the same subnet. Just make sure NAT on ASA is properly configured for your inside subnet. Can you post your config?

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

You dont need this line:

global (inside) 10 interface

Another thing I should mention, and again it was late (3:30am or so). When I was doing Option 2, I started getting 'Duplicate Ip'  messages on my Wireless devices.

Your inside subnet is quite commonly used, someone probably configured a static IP address on his wireless NIC and it gives conflicts with an IP address from your DHCP pool
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

I forgot about your wired part of the network, static IP can be configured on any wired client as well

It was strange but the IP Address that came up was (much greater than I see normally within my own network).

   That only wireless connections who  could get an IP Address though are those could authenticate to my Wireless network, theoretically, correct?

Yes, you need to authenticate first before obtaining IP address
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Hi fquasimzade ,
  I am in the office now looking at things. Just wondering if you are going to be around.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Through tenacious digging, I found my own solution but needed the encouragement and tips along the way to Debug my problem.