Solved

Cisco ASA and 169 addresses.

Posted on 2013-11-01
20
2,360 Views
Last Modified: 2013-11-08
Odd one.

Our new ASA that has been installed into a new office is causing issues with the LAN.
We don't have DHCP setup on the firewall or have an DHCP/DNS server in this site yet.  
We have 2x switches 172.19.4.4 and 4.5
The GW/ASA is 172.19.10.15
Statics are configured on the clients with google DNS and GW.

When the firewall is disconnected from the LAN the switches and client can route and ping internally fine.  The astatic ips show in the network properties correctly.

When the switches or clients/hosts are connected into the firewall (vlan1 at present) the firewall (happens after a reboot) picks up a 169. ip address and is shown as autoconfigured on the PC.  The static Ip also shows as auto config.

I am 100% sure this is the firewall.  Its a managed device and currently the managed co (after 2 days have no ideas).

Suggestions?

Thanks
0
Comment
Question by:CHI-LTD
  • 7
  • 6
  • 6
  • +1
20 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39616888
Do you have a network diagram with IP addresses?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39616910
attached.

no servers there yet...
network.jpg
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39616931
Can you post the ASA config?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39617071
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.10.30 17:12:44 =~=~=~=~=~=~=~=~=~=~=~=


-> en
Password: **************

# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname -
domain-name
enable password
passwd
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
<--- More --->
             
interface Ethernet0/7
!
interface Vlan1
 description To LAN
 nameif inside
 security-level 100
 ip address 172.19.10.15 255.255.0.0
!
interface Vlan2
 description To Internet
 nameif outside
 security-level 0
 ip address 188.39.71.98 255.255.255.248
!
banner login
banner login This system is private property.
banner login Unauthorised users are prohibited and must disconnect now.
banner login All actions are logged.
banner login
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
<--- More --->
             
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network
 subnet 172.19.0.0 255.255.0.0
 description Inside network
object network 10.255.254.0_25
 subnet 10.255.254.0 255.255.255.128
 description Hounslow Roam VPN
object network 10.255.255.0_25
 subnet 10.255.255.0 255.255.255.128
 description Yeovil Roam VPN
object network 192.168.3.0_24
 subnet 192.168.3.0 255.255.255.0
 description London LAN
object network 172.19.10.21_pop3
 host 172.19.10.21
object network Mimecast_DC_1
 subnet 135.196.24.192 255.255.255.240
object network Mimecast_DC_2
 subnet 213.235.63.64 255.255.255.192
object network Mimecast_DC_3
 subnet 94.185.244.0 255.255.255.0
object network Mimecast_DC_4
<--- More --->
             
 subnet 212.2.3.128 255.255.255.192
object network Mimecast_DC_5
 subnet 212.199.232.144 255.255.255.248
object network Mimecast_DC_6
 subnet 195.130.217.0 255.255.255.0
object network Mimecast_DC_7
 subnet 91.220.42.0 255.255.255.0
object network 172.19.10.21_smtp
 host 172.19.10.21
object network 192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
 description Hounslow LAN
object network Bloomberg_1
 subnet 160.43.250.0 255.255.255.0
object network Bloomberg_2
 subnet 205.216.112.0 255.255.255.0
object network Bloomberg_3
 subnet 206.156.53.0 255.255.255.0
object network Bloomberg_4
 subnet 208.22.56.0 255.255.255.0
object network Bloomberg_5
 subnet 208.22.57.0 255.255.255.0
object network Bloomberg_6
 subnet 69.191.192.0 255.255.192.0
<--- More --->
             
object network Proquote_1
 host 195.26.26.140
object network Proquote_2
 host 195.26.26.150
object network Proquote_3
 host 195.26.26.16
object network Proquote_4
 host 195.26.27.141
object network Proquote_5
 host 195.26.27.150
object network Proquote_6
 host 212.47.180.32
object network Proquote_7
 host 213.38.100.13
object network Proquote_8
 host 213.38.100.4
object network Proquote_9
 host 213.38.100.5
object network Proquote_10
 host 213.38.100.6
object network proxy137.scansafe.net
 host 80.254.152.99
object network proxy411.scansafe.net
 host 80.254.147.163
<--- More --->
             
object network obj-vpn-london
 subnet 192.168.3.0 255.255.255.0
object network Mimecast_DC_8
 subnet 94.185.240.0 255.255.255.0
object network 172.19.10.17_ldap
 host 172.19.10.17
object network proxy493.scansafe.net
 host 80.254.158.179
object network proxy494.scansafe.net
 host 80.254.158.187
object network proxy503.scansafe.net
 host 80.254.158.211
object network proxy504.scansafe.net
 host 80.254.158.219
object network 172.19.10.21_http
 host 172.19.10.21
object network 172.19.10.21_https
 host 172.19.10.21
object-group network Mimecast
 description Mimecast email filtering sources
 network-object object Mimecast_DC_1
 network-object object Mimecast_DC_2
 network-object object Mimecast_DC_3
 network-object object Mimecast_DC_4
<--- More --->
             
 network-object object Mimecast_DC_5
 network-object object Mimecast_DC_6
 network-object object Mimecast_DC_7
 network-object object Mimecast_DC_8
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_1
 network-object object 10.255.254.0_25
 network-object object 10.255.255.0_25
 network-object object 192.168.2.0_24
 network-object object 192.168.3.0_24
object-group network Bloomberg
 network-object object Bloomberg_1
 network-object object Bloomberg_2
 network-object object Bloomberg_3
 network-object object Bloomberg_4
 network-object object Bloomberg_5
 network-object host 194.105.166.35
 network-object object Bloomberg_6
object-group network Proquote
 network-object object Proquote_1
 network-object object Proquote_2
<--- More --->
             
 network-object object Proquote_3
 network-object object Proquote_4
 network-object object Proquote_5
 network-object object Proquote_6
 network-object object Proquote_7
 network-object object Proquote_8
 network-object object Proquote_9
 network-object object Proquote_10
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination range 8194 8198
 service-object udp destination range 48129 48137
 service-object tcp destination range 8209 8294
object-group service DM_INLINE_TCP_2 tcp
 port-object range 2300 2400
 port-object eq 6969
object-group network DM_INLINE_NETWORK_2
 network-object object proxy137.scansafe.net
 network-object object proxy411.scansafe.net
 network-object object proxy493.scansafe.net
 network-object object proxy494.scansafe.net
 network-object object proxy503.scansafe.net
 network-object object proxy504.scansafe.net
object-group service DM_INLINE_SERVICE_2
 service-object tcp-udp destination eq domain
<--- More --->
             
 service-object tcp destination eq 3101
 service-object tcp destination eq 4103
 service-object tcp destination eq 4105
 service-object tcp destination eq ftp
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination range 49100 49200
object-group service DM_INLINE_TCP_3 tcp
 port-object range 1130 1132
 port-object eq 4800
 port-object eq 50110
 port-object range 50112 50115
 port-object range 50140 50142
 port-object range 50802 50803
 port-object range 50806 50808
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_4
 network-object object 192.168.2.0_24
 network-object 10.255.254.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
 network-object host 194.105.166.35
<--- More --->
             
 group-object Mimecast
object-group network DM_INLINE_NETWORK_6
 network-object object proxy137.scansafe.net
 network-object object proxy411.scansafe.net
object-group network DM_INLINE_NETWORK_7
 network-object object inside-network
 network-object 10.255.254.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.255.255.0 255.255.255.0
 network-object object inside-network
object-group network obj-CiscoCloud
 network-object 70.39.231.91 255.255.255.255
 network-object 70.39.231.107 255.255.255.255
 network-object 70.39.231.155 255.255.255.255
 network-object 70.39.231.171 255.255.255.255
 network-object 80.254.147.251 255.255.255.255
 network-object 80.254.158.35 255.255.255.255
 network-object 80.254.158.147 255.255.255.255
 network-object 80.254.158.155 255.255.255.255
object-group network DM_INLINE_NETWORK_8
 network-object object 10.255.254.0_25
 network-object object inside-network
object-group network DM_INLINE_NETWORK_9
 network-object 192.168.100.0 255.255.255.0
<--- More --->
             
 network-object 192.168.3.0 255.255.255.0
access-list inbound extended permit icmp any host 80.76.122.145 echo-reply
access-list inbound extended permit icmp any host 80.76.122.145 source-quench
access-list inbound extended permit icmp any host 80.76.122.145 time-exceeded
access-list inbound extended permit icmp any host 80.76.122.145 unreachable
access-list inbound extended permit icmp any host 80.76.122.145 traceroute
access-list inbound extended permit icmp any object inside-network echo-reply
access-list inbound extended permit icmp any object inside-network time-exceeded
access-list inbound extended permit icmp any object inside-network unreachable
access-list inbound extended permit icmp any object inside-network traceroute
access-list inbound extended permit icmp any object inside-network source-quench
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.21 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.4 object-group DM_INLINE_TCP_1 inactive
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.17 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp any object 172.19.10.21_http eq www
access-list inbound extended permit tcp any object 172.19.10.21_https eq https
access-list inside_access_in extended permit ip 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.19.0.0 255.255.0.0 object-group Bloomberg
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 81.168.26.81 object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group Proquote object-group DM_INLINE_TCP_3
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 eq 8080
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_6 eq 8090
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 77.73.1.127 eq ssh
<--- More --->
             
access-list inside_access_in extended permit tcp host 172.19.10.17 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp host 172.19.10.4 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit ip host 172.19.10.21 any
access-list inside_access_in extended permit tcp host 172.19.10.7 any eq 3101
access-list inside_access_in extended permit icmp 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip any object-group obj-CiscoCloud
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 212.102.222.248 eq 5677
access-list inside_access_in extended permit ip host 172.19.10.17 any
access-list inside_access_in extended permit tcp host 172.19.10.21 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp host 172.19.10.28 any eq 3101
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpn-roam-split standard permit 172.19.0.0 255.255.0.0
access-list vpn-roam-split standard permit 192.168.3.0 255.255.255.0
access-list vpn-roam-split standard permit 192.168.2.0 255.255.255.0
access-list acl-vpn-london extended permit ip object inside-network object obj-vpn-london
access-list acl-vpn-london-dummy extended permit ip object-group DM_INLINE_NETWORK_7 object obj-vpn-london
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
pager lines 24
logging enable
logging timestamp
logging buffer-size 16000
logging buffered debugging
logging asdm informational
mtu inside 1500
<--- More --->
             
mtu outside 1500
ip local pool vpnpool 10.255.255.1-10.255.255.127 mask 255.255.255.128
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.19.0.0 255.255.0.0 inside
icmp permit 194.105.167.0 255.255.255.192 outside
icmp permit host 194.105.166.224 outside
icmp permit 194.105.166.0 255.255.255.192 outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,any) source static inside-network inside-network destination static 192.168.2.0_24 192.168.2.0_24
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static 192.168.2.0_24 192.168.2.0_24
nat (inside,any) source static inside-network inside-network destination static 10.255.255.0_25 10.255.255.0_25
nat (inside,outside) source static inside-network inside-network destination static obj-vpn-london obj-vpn-london
nat (inside,any) source static inside-network inside-network destination static 10.255.254.0_25 10.255.254.0_25
!
object network 172.19.10.21_pop3
 nat (inside,outside) static interface service tcp pop3 pop3
object network 172.19.10.21_smtp
 nat (inside,outside) static interface service tcp smtp smtp
object network 172.19.10.17_ldap
<--- More --->
             
 nat (inside,outside) static interface service tcp ldap ldap
object network 172.19.10.21_http
 nat (inside,outside) static interface service tcp www www
object network 172.19.10.21_https
 nat (inside,outside) static interface service tcp https https
!
nat (inside,outside) after-auto source dynamic inside-network interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 188.39.71.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.19.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
<--- More --->
             
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 212.102.222.228
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 188.39.121.250
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address acl-vpn-london-dummy
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 81.171.221.234
crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
<--- More --->
             
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
<--- More --->
             
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
<--- More --->
             
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
<--- More --->
             
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.19.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5

!
tls-proxy maximum-session 12
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.105.167.1
ntp server 194.105.166.1
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ssl-clientless
group-policy GroupPolicy1 internal
<--- More --->
             
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_188.39.121.250 internal
group-policy GroupPolicy_188.39.121.250 attributes
 vpn-tunnel-protocol ikev1
group-policy VPN-Hounslow internal
group-policy VPN-Hounslow attributes
 vpn-tunnel-protocol ikev1
group-policy roam-vpn internal
group-policy roam-vpn attributes
 wins-server value 172.19.10.17 172.19.10.18
 dns-server value 172.19.10.17 172.19.10.18
 vpn-tunnel-protocol ikev1
 pfs enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-roam-split
 split-dns none
username CommsAdmin password QcInhlcqc3PTxjrq encrypted privilege 15
tunnel-group 62.73.138.180 type ipsec-l2l
tunnel-group 62.73.138.180 general-attributes
 default-group-policy VPN-Hounslow
tunnel-group 62.73.138.180 ipsec-attributes
 ikev1 pre-shared-key *****
<--- More --->
             
tunnel-group roam-vpn type remote-access
tunnel-group roam-vpn general-attributes
 address-pool vpnpool
 default-group-policy roam-vpn
tunnel-group roam-vpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 81.171.221.234 type ipsec-l2l
tunnel-group 81.171.221.234 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 212.102.222.228 type ipsec-l2l
tunnel-group 212.102.222.228 general-attributes
 default-group-policy VPN-Hounslow
tunnel-group 212.102.222.228 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 188.39.121.250 type ipsec-l2l
tunnel-group 188.39.121.250 general-attributes
 default-group-policy GroupPolicy_188.39.121.250
tunnel-group 188.39.121.250 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
<--- More --->
             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
<--- More --->
             
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:11944f4128b9384e3a407edae4a26363
: end

-#
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39617135
Not clear about:

the firewall (happens after a reboot) picks up a 169. ip address and is shown as autoconfigured on the PC.  The static Ip also shows as auto config.

Does this only happen on the ASA or does the PC gets a 169 address as well?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39617157
The hosts are picking up a 169 after a period of time or reboot when connected to the ASA.
The hosts are fine if the switches/hosts not connected to the firewall...
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39617184
So, if you connect the firewall to the network, hosts can't receive an IP address from the DHCP server?

Is there anything in the Application or System log on the DHCP server which relates to DHCP events (assuming it's a Windows DHCP server)?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 39617213
Could you try the following command on the ASA and see if this works?
sysopt noproxyarp Vlan1
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 39617228
Good call, Ernie.. that's where I was going next :-)

You might need to issue the command like this...

sysopt noproxyarp inside (instead of vlan1)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39617275
@craig: Thx, my pleasure :) Been there before...

Thought both options could be possible (vlan1 or inside). But then it's clearer to use inside indeed.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39620200
Just curious, when you enable this "fix" does it still happen?

http://www.windowstechinfo.com/2013/07/disabling-apipa-automatic-private-ip.html

How to disable APIPA Automatic Private IP Addressing in windows 7 , windows 8
This can be achieved by adding a dword registry key under this path.

 Press windows key and R key together and type regedit and click ok.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

The key should be created as "IPAutoconfigurationEnabled"   and the dword value should be 00000000
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39621018
im sure its not a win 7 issue.
the clients with statics get the 169 with the static and when dhcp enabled on the firewall the clients only get the 169, so dhcp friling to work..
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39621042
So, did you already try the 'noproxyarp' option?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39621047
not yet.  will let you know.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39621052
Please do. We'll be here :)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39621192
the clients with statics get the 169 with the static
What does that mean?

If you have a static IP address, you won't get a 169 address!?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39621201
So in the IP config settings on the client machines i see a 169 as autoconfigured along with the static ip address which is labelled as autoconfigured too.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39621216
Read something about that: http://community.spiceworks.com/topic/191944-apipa-issues

It isn't a bug, it's a feature ;)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39621221
I've never seen that on the thousands of W7 machines I've managed.

I have seen the odd time where the NIC picked up an APIPA address because it was connected to the network before DHCP was enabled, and a static IP wasn't configured first.  To be clear I mean that after adding the static the APIPA remained, until I disable and re-enable the NIC.

Strange :-/
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 39632942
Perfect!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now