DHCP on a 501

[strueson]

Hi - I have setup a 501 to work as DHCP server as I did in other places. He assign all the needed addresses correctly but it seems that no traffic is allowed to go true the PIX from this station. If I assign manually the same addresses it works perfectly.

Can someone help me on that?
Thanks

 

[themut]

What default gateway are you assigning manually? Is it the same assigned by the PIX as DHCP server? The PIX always assigns its interface as the default gateway.

 

[strueson]

As default gateway I assign the internal interface of the 501. It should work, It works at the begining ad it stoped after a while... Maybe a bug in some version?

 

[themut]

It could be... When you say it works for a while and then stops... does it stop for every host in the network? If you issue a clear xlate when it happens is the problem solved?

 

[strueson]

No... it doesn't solve the problem. It's something very strange. I compared the configurations and the software versions and they look to be the same on all my sites.
I appreciate any suggestion that could help. Thanks

 

[EddieVenus]

Sure, can you post any of your config? Just the important stuff will do.

Eddie Venus

 

[strueson]

Here is the config that I'm speaking about:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
…
names
name X.X.X.X group
name Y.Y.Y.Y VPN
access-list inside_outbound_nat0_acl permit ip VPN 255.255.255.224 group 255.255.0.0
access-list outside_cryptomap_20 permit ip VPN 255.255.255.224 SDS-group 255.255.0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside Z.Z.Z.Z 255.255.255.192
ip address inside 172.18.156.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
… (PDM)
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
… (AAA)
…
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Z.Z.Z.Z
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address Z.Z.Z.Z netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh group 255.255.0.0 inside
ssh timeout 5
dhcpd address 172.18.156.14-172.18.156.18 inside
dhcpd dns X.X.X.38 X.X.X.37
dhcpd wins X.X.X.38 X.X.X.37
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain “my.domain.com”
dhcpd auto_config outside
dhcpd enable inside
username administrator password 6iezYGkA1tldKp.F encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:a58066ca3da17493a29e4d7eb04f4395
: end
pix#


Do you see something wrong?

 

[EddieVenus]

I do not see any glarring mistakes. In fact it looks more or less just like most of the ones I have done, except I take this line out dhcpd auto_config outside but I do not think it matters really.

Are you getting addresses from the PIX in DHCP mode at all? As in when you look at the PC using ipconfig or winipcfg, do you see the correct settings after it gets its info from DHCP? I only ask because if there is another DCHP server on the network, or if they are not even requesting from the PIX, then that may be an issue you need to resolve first.

Also, and I know it sounds so lame out loud, but have you power cycled the PIX since you did this config? Sometimes that helps alot. I can clear caches and buffers all day, and no dice, but one reset and it works great. Maybe cisco is owned secretly my M$? No, that would be silly. But try the reset anyways, unless you did not save your config, it cannot hurt.

Eddie Venus

 

[strueson]

There are no others DHCP Servers online and I tried the reset to. no luck... So any other suggestions? I'm completely out of resources for this issue...