Question

Locked

Cisco PIX 515 DHCP problem

By Matt H ·
Hi

I have acquired a PIX 515 (foc) and want to use it to hang a DR ftp server off and replace the PIX 501 I have at present.

It sits behind an ADSL router that is set up in half-bridge mode, the outside interface configured for DHCP. The 501 works perfectly like this.

All going ok apart from the 515 is not picking up the IP address from the router. If I connect my laptop to the router it gets the IP fine and I can browse the web. I have the outside interface configured as:

ip address outside dhcp setroute retry 4

but nothing is happening and it fails. No idea why.

I was getting "Deny udp reverse path check" errors but was given a suggestion to add:

no ip verify reverse-path interface OUTSIDE

which has stopped that error, but now there's nothing in any of the logs. I'm no expert on Cisco kit, but I need this going asap really.

Being in the UK and on a BT line, we're limited to PPPoA. I have read that the PIX only supports PPPoE and out ISP doesn't use it. Will this affect the PIX getting an IP? Can anyone give me any suggestions (ditch the PIX is not an option, BTW).

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Off the cuff

by NetMan1958 In reply to Cisco PIX 515 DHCP proble ...

Is there an access-list apllied to the outside interface and if so, does it allow DHCP?

Collapse -

More...

by Matt H In reply to Off the cuff

There are no access lists set. I've done some testing today though. If I connect my laptop to the router I get the initial ip from that, then once it connects to the ISP it then passes the external IP through to the laptop and I can browse the web.

If I connect the PIX outside interface directly to my LAN, it picks up an IP address immediately from my DC. No messing about.

So WHY won't it pick up an ip from the router? I have failover disabled yet it seems to use that ip address to get a network connection then try dhcp. I've had this error on startup :

dhcp client start discover: wait until failover switch to active
Warning: System IP and failover are not in the same subnet.
It will cause route command fail when bootup !!

So how does that work? Failover is disabled isn't it? The system IP is 127.0.0.1 so what am I supposed to do now? there's nowhere to change the subnet mask either. So I'm somewhat confused here. If I set the failover to the same range as the router it doesn't work. If I use one of my 6 static IPs from my ISP it doesn't work. if I use 0.0.0.0 is doesnt work. Anyone with any ideas????

Collapse -

Can you post your config

by NetMan1958 In reply to More...

Post a sanitized copy of your PIX config and maybe that will help.

Collapse -

Hope this helps!

by Matt H In reply to Can you post your config

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xNSsvXyNdnWaBVHa encrypted
passwd xNSsvXyNdnWaBVHa encrypted
hostname p-PIX
domain-name AB.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.0.0.0 AB1
name 111.222.0.0 AB2
name 111.222.168.0 LAN
name 99.88.777.11 FTP_Server
access-list outside_access_in permit tcp any eq ftp host 99.88.55.44
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
ip address outside dhcp setroute retry 15
ip address inside 111.222.168.4 255.255.255.0
ip address DMZ 99.88.777.4 255.255.255.0
ip verify reverse-path interface DMZ
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:05
failover poll 15
failover ip address outside 555.66.77.2
failover ip address inside 0.0.0.0
failover ip address DMZ 555.66.79.2
pdm location AB2 255.255.0.0 inside
pdm location FTP_Server 255.255.255.255 DMZ
pdm location AB1 255.0.0.0 inside
pdm location 0.0.0.0 255.255.255.248 outside
pdm logging notifications 100
pdm history enable
arp timeout 600
global (outside) 200 interface
global (inside) 200 interface
global (DMZ) 200 99.88.777.51-99.88.777.100 netmask 255.255.255.0
nat (inside) 200 AB2 255.255.0.0 0 0
nat (inside) 200 AB1 255.0.0.0 0 0
static (DMZ,outside) 99.88.55.44 FTP_Server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route inside AB1 255.0.0.0 111.222.168.3 1
route inside AB2 255.255.0.0 111.222.168.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 111.222.250.29 source inside prefer
http server enable
http AB2 255.255.0.0 inside
http AB1 255.0.0.0 inside
snmp-server location Server Room
snmp-server contact Myself
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet AB1 255.0.0.0 inside
telnet AB2 255.255.0.0 inside
telnet timeout 5
ssh LAN 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:4a20f8838c8225c1fb5323338693a0df
: end
[OK]

Collapse -

Try running these debugs

by NetMan1958 In reply to Hope this helps!

debug dhcpc packet
debug dhcpc detail
debug dhcpc error

I would run only one at a time and see if that gives you anything useful. To force the pix to try to renew the ip run the "ip address outside dhcp setroute retry 15" command again.

Collapse -

you might want to consider using a static address

by CG IT In reply to Try running these debugs

on the PIX interface that connects to your ADSL router.

give us a sh route map or sh route in addition to NetMan's debug output.

Collapse -

Before you run the debugs

by NetMan1958 In reply to Try running these debugs

I just thought of something. Connect your new PIX to the router and then before you try anything else, run "show interface ethernet0" and check that the interface actually comes up.

Collapse -

I think we're getting somewhere...

by Matt H In reply to Try running these debugs

Right. Just run the debug dhcpc packet and detail. I have found this:

DHCP: offer has below min lease length: 60. punt

Ah-ha! However, as a test I have changed my router lease time to 5 days so I think this is coming from my ISP, as the router is in 1/2-bridge. I've passed the full debug trace to their tech support but I don't know what they can do about it.

I'm on my hols for 2 weeks from tonight, back in on 1st Sept (bank holiday the Monday we get back!) so if nothing happens I will be picking this back up then. Many thanks for your responses, guys.

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums