Cisco Firewall :: DHCP Scope Limitations For ASA5505
Feb 22, 2013
I have a ASA5505 that i have running asdm 6.4 on it and have tried setting up some DHCP scopes for the interfaces.I have the security plus key.I set up 4 interfaces all with different subnets and all with different DHCP being doled out by the firewall for the time being.Anyway, 3 of the 4 work.I have tried to change interfaces wondering if there was an issue with that phy device.I tried enableing the subnet that would not work first and it didnt matter still would not issue dhcp.the other 3 work fine.Is there a limitation to the amount of scopes that will issue dhcp for an asa5505 ?
View 3 Replies
ADVERTISEMENT
Apr 7, 2013
DHCP scope is configured on a WLC 5508.I'm checking if there' a way for WLC to clear the dhcp leasing when a user is diconnected from wireless?
View 2 Replies
View Related
Nov 17, 2011
Our company is planning to buy one of cisco ASA 55xx series.But there is still one question left about DHCP pool limitations.Here I found some information about licensing for DHCP on ASA 5505: [URL]In other words, we don't have any information about ASA 5510, which contains DCHP pool licensing.
View 9 Replies
View Related
Jul 1, 2012
I am using Windows 2011 SBS and Windows 7 clients.My server has a DHCP range of 192.x.x.150 to 192.x.x.199 and all other I.P. addresses are static. On a workstation located at I.P. 192.x.x.13 I am seeing an address conflict.When I perform an "nbtstat -a 192.x.x.13" command from the server I am given the logical computer name of a staff members personal laptop.Investigation of the laptop reveals that it is set to DHCP, and clearly the address of 192.x.x.13 is outside of my servers DHCP scope, so this I.P.should never be assigned, let alone in duplicate.I Google this topic before posting, and it was suggested that IPv6 could be having an adverse affect. I determined this because I performed a ping on the laptop and only got a MAC address back rather than an I.P. address.However after unticking IPv6, and rebooting, the laptop is still causing havoc.I can set a static I.P. address on the laptop, however this is not ideal.
View 2 Replies
View Related
May 21, 2012
I've created a tonne of dhcp scopes on my routers before never had any issues, however this one will not hand out any addresses at all, i even give the router a reload to see if any magic happened but nothing, ive ended having to put a temp server in with just dhcp installed until i get the router diong what it should my config below, its something simple i havent seen, as ive compared it to plenty of my working DHCP configs and seen nothing.
View 11 Replies
View Related
Feb 6, 2013
i am using wlc 4402 with a mgt ip 172.26.150.x/24 and ap manager ip 172.26.150.x/24, my all ap get the ip address from dhcp . currently in dhcp server 172.26.150.3 to 254 dhcp scope is configured. at mysite some devices are configured like ipad,iphone or galaxy tab with mac binding in dhcp server. now this pool is almost full. i have a policy configured for these devices for mac binding is done in DHCP. to increase pool what are the changes i need to do in wlc. what are the changes i need to do in dhcp server . is policy made for mac binding in dhcp server will get affected by this ?
View 2 Replies
View Related
Oct 3, 2012
I change DHCP scope to match corporate IP scheme Friday came back To discover only some stations picked up new leases from the scope.
View 2 Replies
View Related
Jul 11, 2011
My Network is running Windows Server 2003 and with more than 150 Users. But last week, I notice that a program is changing my DHCP server IP Address scope.
View 2 Replies
View Related
Aug 10, 2011
I have a 5508 WLC controller at the HQ with the employee ssid ,the dhcp scope on the ssid is 10.120.0.0/16 network.
However,I want this same ssid to be brodcasted to a remote site using HREAP access point but with different dhcp scope 10.102.0.0/16.
I have tried creating another interface for the remote site with a different dhcp scope(10.102.0.0) but the controller wont allow me create another wlan with same ssid that existed before to apply the new interface created for.
View 1 Replies
View Related
Feb 16, 2012
I did the config below but unable to obtain the ip from the subnet scope 10.10.9.0. The switch is in the layer 3 mode.
no spanning-tree
vlan database
vlan 2
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
[code]....
View 1 Replies
View Related
Jul 8, 2012
I am trying to setup VLANs and most of configurations are working ok now except IP address assignment from DHCP. If any computer in VLAN 120 or 130 configured with manual IP address, then all works fine. It can reach internal servers and the internet without problem.If the IP address is assigned automatically then any computer in VLAN 120 or 130 are obtaining IP address (strangely!) from VLAN 100. Because switch ports that connected to the computer belongs to VLAN 120 or 130, the computer cannot reach internal servers and the internet with ip address from VLAN 100 . All SVI interfaces for VLAN 100, 120 and 130 have ip helper-address option defined pointing to the DHCP server. No DHCP snooping enabled on all switches at this point. DHCP server have three scopes for the three different VLANs.
View 2 Replies
View Related
Sep 11, 2011
The 5508 is running code 7.0.116.0. I have created a group interface for 3 subnets and assigned the group to the WLAN. Clients are getting IP addresses in a round robin fashion. The issue or downside to this is if the lease has not expired before the next time the station connects to the WLAN it consumes an address on another subnet instead of grabbing the unexpired lease IP address on it's previous VLAN. It seems that the WLC determines the VLAN in the interface group before the DHCP request from the client in case the client already received a DHCP address that has not expired. This can be problematic since we have seen some iPhones requesting an address every 20 minutes thus consuming an address on every subnet in the interface group. Other than setting a lease time extremely low what can be done to address this?
View 1 Replies
View Related
Apr 2, 2012
The company I work for owns a remote manufacturing facility that houses a stack of five 3750 switches that function as the core switching system for the plant. DHCP services are configured on the 3750 stack.
There are currently three VLANs configured, one for data and one for voice (144 and 244 respectively) and one for UCM servers (200), with corresponding subnets of 10.44.32.0 /19, 10.44.0.0 /19 and 10.44.100.0 /24.
The current DHCP scope configurations are as follows:
ip dhcp pool Plant-44_DHCP
network 10.44.32.0 255.255.224.0
default-router 10.44.33.254
[Code].....
My question is will the addition of this scope in the manner presented cause any problems with PCs or IP phones outside the targeted recepents receiving the wrong IP information from this scope?
I plan to identify the users that should be members of this VLAN 444 and change the switchport mode access configuration on the corresponding switch ports from VLAN 144 to VLAN 444. The voice VLAN 244 will remain the same.
View 2 Replies
View Related
Feb 13, 2013
I have a ASA5505 with version 8.4(3) that it's working as a DHCP server and I would like to get information about IPs availables (or assignated) on theirs pools via SNMP but I can't find the MIB or OID that I need.
What MIB that I need?
View 1 Replies
View Related
May 13, 2013
I have ASA5505 as my main router (192.168.15.1) and it currently it also serves as DHCP server. I have a WNDR3700 (192.168.15.2) which work as an access point and it provide wireless access for wireless devices. I have few dhcp clients where i can't setup static IP, and i want to restrict them to use static IP through MAC reservation.
1. Make ASA5505 to do the MAC reservation f, which will be easy setup for me. But as per my search its not possible.
2. Disable dhcp on ASA and enable dhcp on my WNDR3700. i tired this and dhcp clients are getting IP from wndr3700, but the problem is dhcp clients gateway defaults to 192.168.15.2 (as well as dns) and therefore no internet connection.
View 0 Replies
View Related
Feb 7, 2012
We have a Cisco 5505 ASA fireawll at a remote site. I can get the firewall to issue the IP addresses to the pc's, Is there a way for the pc's to get their IP addresses directly from our DHCP server?
View 3 Replies
View Related
Dec 26, 2011
My cisco representative tells me that I am limited to 10 IP addresses for my 10 user license on an ASA 5505 even though the Cisco documentation specifically states that a 10 user license allows the maximum DHCP clients to 32 IP addresses.
I want to have 30 computers get IP addresses from the ASA, but don't need any but one or two to get outside the internal network. Is this possible with a 10 USER license.
View 19 Replies
View Related
Sep 27, 2011
My cisco representative tells me that I am limited to 10 IP addresses for my 10 user license on an ASA 5505 even though the Cisco documentation specifically states that a 10 user license allows the maximum DHCP clients to 32 IP addresses.
I want to have 30 computers get IP addresses from the ASA, but don't need any but one or two to get outside the internal network. Is this possible with a 10 USER license.
View 1 Replies
View Related
Feb 11, 2013
I have an ASA5505 which provides internet (just internet) for about more than 600 pc/laptops. Can 5505's DHCP support this number?
View 4 Replies
View Related
Sep 20, 2011
I came across this site. I wanted to produce a better incoming ACL at home and work to prevent known bad sites
Here is their list of the Top 10 Global Spammers is out. The biggest surprise on the list is Korea, as it takes over the number one global spammer spot from China. With the improved high speed internet infrastructure in Korea and ease of network access, who knew Korea would be on the rise.
Here is the complete Global Spanner Top Ten List for the first quarter
[URL]
Korea
China
India
Russia
Turkey
Viet Nam
Ukraine
Brazil
Venezuela
Pakistan
When I sort the list, it is over 16k lines of ACL!
My question relates to what performance limits I would find.
Can I actually put that many lines in an ACL?
Will the router choke and do any other work
I have attached the sorted ACL list for you to review
Any of the following router lines will accept a list that large and still run acceptably?
2811
2911
3925
2945
View 1 Replies
View Related
Sep 19, 2011
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
View 1 Replies
View Related
Dec 26, 2011
I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router. They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address. I have no problem getting the static VPNs up and running. My problem is with the VPN connections that are doing DHCP. I can go in and determine what IP they are currently using and setup a connection and it works fine. The problem is of course when their IP address from the ISP changes, which seems to happen at least daily. What is the proper way to setup a connection that is using DHCP? Also, can you setup multiple connections this way? Currently the 2 locations have different passwords setup in their routers.
View 1 Replies
View Related
Jul 1, 2012
I've been searching the net for days now trying to configure the ASA5505 for dual DHCP ISP use. All guides available assume you have one static.
After realizing that it required a Security Plus license to even configure 3 VLANs.
I can choose a backup interface in ASDM. It even says dual ISP enabled. Why cant there be a guide or simple configuration example or am I the only one looking for this kind of solution?
Customer has two ADSL internet connections and want to switch between them if they fail. No load balancing required.
View 2 Replies
View Related
Feb 24, 2011
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
View 2 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Jan 9, 2013
Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
View 2 Replies
View Related
Apr 1, 2013
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
View 4 Replies
View Related
Jan 15, 2013
Just inserted a new 5508 WLC into the network. We current have 3 4404 WLCs, and there was a need to duplicate, as much as possible, the configurations on the 4404s, and the design. The 5508 came online as expected. We moved a few access points over to it. The APs got the correct address range. The clients are expected to get addresses in the same scope range as the APs. However, the clients are receiving addresses in the management IP scope.I know there are two "not a good way to do it" in here. Why is the management address range in the DHCP scope, and why are the clients using the same scope as the APs. We are going to change that. For now, the AP and client in the same range has been going on since we rolled out wireless in 2006.The 8 ports on the 5508 are configured for LAG. There is no dedicated port for management. They tell me not to do that on a 5508.
View 8 Replies
View Related
Nov 15, 2012
We have a WLC 4410 management IP Address configured as 10.40.124.59.and configured VLAN1 on WLC with IP address 10.40.126.250. we are unable to ping the VLAN1 ip address from the switch. even unable to ping 10.40.126.252 (Gateway). Is there any limitation that we can not configured ip address from secondary scope...Switch vlan 1 configuration is ......interface GigabitEthernet0/0.1description Business VLANencapsulation dot1Q 1 nativeip address 100.93.50.2 255.255.0.0 secondaryip address 10.40.126.252 255.255.255.0 secondaryip address 10.40.124.61 255.255.255.192 secondaryip address100.43.94.252 255.255.255.0.
View 3 Replies
View Related
Oct 29, 2012
We have the following architecture for Internet access:
LAN ---- CISCO-CHASSIS----FIREWALL-----INTERNET
My concern is about PAT, for LAN users Internet access: I would like that PAT is performed by Cisco chassis(in my case, a C4500), not by firewall (which means: local IP addresses for flows from LAN to Internet are all natted with the same public IP address).Are there some drawbacks to this design? I guess there is no problem for classical flows, but what about flows with specific comportment (such as FTP) on Cisco routers?
View 0 Replies
View Related
Nov 30, 2011
I'm currently running 8.3(2) on my 5520s in an active/standby config. The 5520s have the 2GB RAM upgrade and 256MB flash card. Are there any CPU limitations in going to 8.4? I read the release notes but didn't seen anything about CPU. I heard through the grapevine that a 64-bit processor may be needed. We currently have the Pentium 4 Celeron 2000 MHz CPU.
View 1 Replies
View Related
Nov 29, 2011
Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?
View 2 Replies
View Related
