ASA5505 as a DHCP Server

dcl1soft
dcl1soft used Ask the Experts™
on
My ASA5505 router (8.2 CLI) appears to be assigning IP Addresses to external clients. Per logging message below.

6      Aug 05 2011      01:11:57      6-604103                              DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (192.168.1.67).

  The Cisco explanation is as such:
%ASA-6-604103: DHCP daemon interface interface_name: address granted
MAC_address (IP_address)
The adaptive security appliance DHCP server granted an IP address to an external client.

I do a SHOW RUN DHCPD and see the following:  I am concerned that this behavior would allow those external clients access to my network. What would cause this? Shouldn't I be concerned?

xxxxxasa(config)# show run dhcpd
dhcpd dns 192.168.1.9
dhcpd lease 5000
!
dhcpd address 192.168.1.10-192.168.1.137 inside
dhcpd enable inside
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011

Commented:
Well, as long as your DHCP is running on ASA, it is supposed to give out ip addresses..
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Why do you think its giving addresses to external clients? Dhcp is enabled on the inside. So that means a machine on the inside gets an IP. Ofcours this happens outside the ASA, hence 'external'.
Top Expert 2011

Commented:
It gives out ip address for inside clients:

 DHCP daemon interface inside:  address granted 0100.26bb.0762.f2 (192.168.1.67).
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Author

Commented:
Well, my issue is that I am just setting this up and really don;t have more than 3 internal wireless clients that are configured for Dynamic DHCP and and 5ea wired workstations (all with static IPs).

I am just learning this stuff and have gained a huge amount of respect for people who know networking so please bear with me.

    The Overall picture is that I am a very small shop and have spent weeks trying to setup this network.
  I do not have very many workstations. My toplogy consists of the following:

    Cisco ASA 5505 (Base License) Limited to 3 Active VLANs where one of the VLAN can only go out to the Internet.
     So my options are: Inside VLAN
                                   Outside VLAN
                                  3rd Vlan (Based on license, would not be be able to  work with the rest of the Inside Hosts. (My desire was to get this setup as a Wireless only VLAN with IP Addresses for being served only to the Wireless Clients but ran into the Base License limitation).

   
 Network -
                              1ea Bridged DSL Modem (from ISP)
                              Gateway Router - Cisco ASA 5505 - 8.2 CLI, ASDM 6.2
                              Wireless Router = Netgear N750, also known as  WNDR4000

    Wired Network - 1 Windows 2008 R2 Domain Controller / Database Server
                               1 IIS Server (to support a Third Party application - mainly VPN-based processing)
                              5 Workstations
                             
  Wireless Network - 2 ea Latops, 1ea Tablet

  So back to the DHCP question, all of my Wired Network have Static Ips. When encountering the problem discovered , I only have 1 or 2 wireless clients on but  I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.

Please give me your concept thoughts of what could be causing this? And then troubleshooting tips.

Thanks in advance.

 
 

        .

Top Expert 2011

Commented:
When you say external IPs, you mean IP addresses from your inside subnet?

I am seeing a lot of activity within a couple of minutes, maybe 6 or 7 external IPs given out.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Is the wireless secured? Like wpa or wpa2?

Author

Commented:
Answers:
    The wireless authentication is WPA2-PK AES.

   My ASA5505 is configured as a DHCP server for my internal subnet range and that is what is happenning but I cannot account for the devices that are getting these IP Addresses.

Top Expert 2011

Commented:
Try changing your password for wifi

Author

Commented:
I have DHCP disabled on the Wireless Router. It was late last night and I was trying to configure the Wireless Router a couple of ways.
   1) It would be a DHCP Server of its own, assigning IP addresses in the 192.168.2.0 subnet while
the ASA5505 would be assigning IP Addresses in the 192.168.1.0 range.
   Wireless router cabled to to separate port on ASA.
--- That Config seemed to be more smooth (from the Wireless side) but could not create a separate VLAN for it as the Cisco Base license doesn't allow it for what I am trying to do.

  2) The other way I have tried is to rely 100% on the ASA to assign IP addresses on 192.168.1.0 subnet and disable DHCP, RIP on the Netgear router, assign it a static IP on that subnet, ie 192.168.1.2
and cable it to a switch that is coming off the Inside Interface port on the ASA - along with most of the Wired stations.
   This seemed to work, ie the Wireless laptops connected but could not get out to the Internet.

Perhaps I need a Static Route between 192.168.1.1 (the ASA) and the 192.168.1.2 (The Netgear Router)??

Author

Commented:
The third option that I have been reading albeit more complicated, is to create Multiple subnets on the same ASA Interface.
   Haven't gone there yet but wondering if anyone has experience with that?

Top Expert 2011

Commented:
Second option looks fine, you dont need to create a route since ASA and Netgear are in the same subnet. Just make sure NAT on ASA is properly configured for your inside subnet. Can you post your config?
Top Expert 2011

Commented:
You dont need this line:

global (inside) 10 interface

Author

Commented:
Another thing I should mention, and again it was late (3:30am or so). When I was doing Option 2, I started getting 'Duplicate Ip'  messages on my Wireless devices.
Top Expert 2011

Commented:
Your inside subnet 192.168.1.0 is quite commonly used, someone probably configured a static IP address on his wireless NIC and it gives conflicts with an IP address from your DHCP pool
Top Expert 2011

Commented:
I forgot about your wired part of the network, static IP can be configured on any wired client as well

Author

Commented:
It was strange but the IP Address that came up was 192.168.1.46. (much greater than I see normally within my own network).

   That only wireless connections who  could get an IP Address though are those could authenticate to my Wireless network, theoretically, correct?
Top Expert 2011

Commented:
Yes, you need to authenticate first before obtaining IP address

Author

Commented:
Hi fquasimzade ,
  I am in the office now looking at things. Just wondering if you are going to be around.
Commented:
Hallelujah!- Option #2 is now working  with Netgear WNDR4000 router as an Access Point.
         plus the Cisco ASA5505 being used as the DHCP server.
         Wireless computers are able to connect to Network and then to the Internet.
SOLUTION -- ARP Proxy function needed to be disabled on the ASA5505.
CLI 8.2 command = sysopt noproxyarp inside

Additionally, what was happenning, was that the ARP Table cache (ie Mappings of IP Addresses to MAC Addresses) on the Database Server had filled up with Duplicate entries. And that explains not being able to ping / connect to that Server and why 'Duplicate IP Addresses' errors were showing up at certain points of my troubleshooting.
ADDTL STEP - Clear out ARP Cache on Hosts which have Bad / Duplicate entries.

In Windows, this would be:  netsh interface ip delete arpcache
.
Fquasimzade, Your encouragement kept me going, this has been tough but I have learned a lot.

Author

Commented:
Through tenacious digging, I found my own solution but needed the encouragement and tips along the way to Debug my problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial