DHCP stopped working ASA 5510

[jaroszke]

I got my asa working yesterday to have one outside with 2 IP address; one for internet and the other for the public address of the webserver, I unhooked it for the night because I didn't have our database server setup with the proper IP address yet. I went to hook everything back up today and DHCP won't work. I feel like I am going crazy.
The setup ISP(2 Public IPs)-->ASA 5510 --> Linksys SRW48G4(split into 4 vlans)
I have the eth0/2 setup as a dmz and I get the webserver running if its plugged directly into the asa but if it goes through the switch it doesn't work. Internet IP (x.x.x.194) Web server Public IP (x.x.x.184)
Here is my running config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password By8z9vzib.NyHQdS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.2
vlan 2
nameif table
security-level 95
ip address 195.168.2.1 255.255.255.0
!
interface Ethernet0/3.3
vlan 3
nameif labs
security-level 100
ip address 195.168.3.1 255.255.255.0
!
interface Ethernet0/3.4
vlan 4
nameif server
security-level 100
ip address 195.168.4.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list table_access_in extended permit ip any any
access-list labs_access_in extended permit icmp any any echo-reply
access-list labs_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 10.0.0.2 x.x.x.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp any eq

http://www host

10.0.0.2
access-list outside_access_in extended permit tcp any eq

http://www host

x.x.x.184
access-list outside_access_in extended permit ip any any
access-list DMZ extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu table 1500
mtu labs 1500
mtu server 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 1 0.0.0.0 0.0.0.0 dns
nat (table) 1 0.0.0.0 0.0.0.0 dns
nat (labs) 1 0.0.0.0 0.0.0.0 dns
static (dmz,outside) tcp x.x.x.184

http://www 10.0.0.2

http://www netmask

255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group table_access_in in interface table
access-group labs_access_in in interface labs
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 

[hairlessupportmonkey]

interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0

and your web server is?
Web server Public IP (x.x.x.184)

on the same range?

so - e.g your private network is 192.168.x.x and your web server / dmz is 10.0.0.x?

- just to clarify your network.

also, why would you run your company DHCP off the cisco. cisco dhcp is not always the best at promptly assigning addresses.

you will be better off using your windows server (SBS / DC / FS offering DHCP)

ACSS - SME

 

[unclerico]

1) I don't see the dhcp service configured
2) The link on the switch connecting to e0/3 is configured as a trunk (tagged port) and the link on the switch connecting to e0/2 is an access port??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jaroszke]

Yes the public webserver ip (.184)is on the same range as our internet ip (.194)
Yes the private network is 192.168.x.x and the web server / dmz is 10.0.0.x?
We are a computer lab at our University and are using the schools DNS server, we are running DHCP off the cisco because two reason didn't know any better, lol and we don't have an extra box to run it off of.
Whoops guess there is a character limit the config got cut off
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 99.165.212.128 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
shutdown
smtp from-address admin@ciscoasa.null
telnet timeout 5

ssh timeout 5
console timeout 0
dhcpd dns x.x.x.8
!
dhcpd address 10.0.0.2-10.0.0.3 dmz
dhcpd enable dmz
!
dhcpd address 195.168.2.100-195.168.2.120 table
dhcpd enable table
!
dhcpd address 195.168.3.2-195.168.3.254 labs
dhcpd enable labs
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin1 password ZtmwWxwfZJPPSOvr encrypted
username keith password CcULJAvn1o5FM3xv encrypted privilege 15
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:260328d981bca1f9cc2b94ceb5352ce6
: end
no asdm history enable
there is the rest of it.
Also the switch is configured on that port to be trunked and tagged on that port for the correct vlan

 

[jaroszke]

Update
Came into work today and was able to obtain ip addresses on vlan table and labs, but still nothing on the dmz, I have the webserver statically set in the windows ip settings. This might provide something else: when I plug in the webserver to the port on the switch I don't get a green light its a blinking yellow.
Thanks in advance

 

[jaroszke]

I got everything to work, I had to go into the switch and delete the vlan for the dmz and then I recreated it and it magically started working. Maybe something hanged I dont' know but thank you all for your input