An ASA will return its own interface address for the client to use as the default gateway. The interface subnet mask is returned for the client to use as well. You can define and enable DHCP servers on more than one interface, if clients are located there.
Note that an ASA can only manage dynamic IP address assignments from its DHCP pool. Meaning, no reserved IP address for a specific client or network device (ip dhcp excluded-address in router IOS).
You can configure the DHCP server feature on the ASA via CLI using the following steps:
Step 1: Enable the DHCP server on an ASA interface that faces the clients:
ciscoasa(config)# dhcpd ?
configure mode commands/options:
address Configure the IP pool address range after this keyword
auto_config Enable auto configuration from client
dns Configure the IP addresses of the DNS servers after this
keyword
domain Configure DNS domain name after this keyword
enable Enable the DHCP server
lease Configure the DHCPD lease length after this keyword
option Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
update Configure dynamic updates
wins Configure the IP addresses of the NETBIOS servers after this
keyword
ciscoasa(config)# dhcpd enable ?
configure mode commands/options:
Available interfaces on which to enable the DHCP server:
inside Name of interface Vlan1
outside Name of interface Vlan2
Step 2: Create an address pool for clients on an interface:
ciscoasa(config)# dhcpd address ?
configure mode commands/options:
WORD IP address[es], <ip1>[-<ip2>]
Step 3: Configure DHCP options for clients.
You can use the dhcp option command to define any specific DHCP options that clients need to receive.
ciscoasa(config)# dhcpd option ?
configure mode commands/options:
<0-255> DHCP option code
ciscoasa(config)# dhcpd option 150 ?
configure mode commands/options:
ascii Configure the option information in ascii after this keyword
hex Configure the option information as a hexidecimal value after this
keyword
ip Configure the option information as IP address(es) after this keyword
<cr>
Step 4: Configure any global DHCP parameters.
ciscoasa(config)# dhcpd dns <dns1> <dns2>
ciscoasa(config)# dhcpd wins <wins1> <wins>
ciscoasa(config)# dhcpd domain <domain-name>
By default, each DHCP lease is sent with a lease time of 3600 seconds, or 1 hour. You can override that value globally with the following command:
ciscoasa(config)# dhcpd lease ?
configure mode commands/options:
<300-1048575> The length of lease, in seconds, granted to DHCP client from
the DHCP server, default is 3600
<cr>
Finally, when an ASA receives a DHCP request from a potential client, it looks up the next available IP address in the pool. Before a DHCP reply is returned, the ASA sends an ICMP echo (ping) as a test to make sure that the IP address is not already in use by some other host. By default, the ASA waits 50 ms for an ICMP reply; if no reply is received, it assumes that the IP address is indeed available and assigns it to the client. If an ICMP reply is received from that address, it knows that the address is already taken, so the next address from the pool is tried.
You can override the ping test timer by issuing the following command with a timeout (100 to 10,000) in milliseconds:
ciscoasa(config)# dhcpd ping_timeout ?
configure mode commands/options:
<10-10000> Ping timeout value in milli seconds, default is 50
<cr>
Here's what it looks like to configure a DHCP server using ASDM.
For this scenario, we configured the ASA to act as the DHCP server for the "inside" interface, run some debug and show commands for verification.
configure mode commands/options:
address Configure the IP pool address range after this keyword
auto_config Enable auto configuration from client
dns Configure the IP addresses of the DNS servers after this
keyword
domain Configure DNS domain name after this keyword
enable Enable the DHCP server
lease Configure the DHCPD lease length after this keyword
option Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
update Configure dynamic updates
wins Configure the IP addresses of the NETBIOS servers after this
keyword
ciscoasa(config)# dhcpd enable ?
configure mode commands/options:
Available interfaces on which to enable the DHCP server:
inside Name of interface Vlan1
outside Name of interface Vlan2
ciscoasa(config)# dhcpd enable inside
need to define address pool range first
dhcpd enable command failed
ciscoasa(config)# dhcpd address ?
configure mode commands/options:
WORD IP address[es], <ip1>[-<ip2>]
ciscoasa(config)# dhcpd address 192.168.10.10-192.168.10.254 ?
configure mode commands/options:
Available interfaces on which to enable the DHCP server:
inside Name of interface Vlan1
outside Name of interface Vlan2
ciscoasa(config)# dhcpd address 192.168.10.10-192.168.10.254 inside
Warning, DHCP pool range is limited to 32 addresses, set address range as: 192.168.10.10-192.168.10.41
ciscoasa(config)# dhcpd address 192.168.10.10-192.168.10.41 inside
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# dhcpd dns ?
configure mode commands/options:
Hostname or A.B.C.D IP address of server 1
ciscoasa(config)# dhcpd dns 192.168.10.20 ?
configure mode commands/options:
Hostname or A.B.C.D IP address of server 2
interface Specify interface to which action will apply to
<cr>
ciscoasa(config)# dhcpd dns 192.168.10.20 192.168.10.21
address overlap with dhcp pool ip addresses
Usage: dhcpd address <ip1>[-<ip2>] <srv_ifc_name>
dhcpd dns <dnsip1> [<dnsip2>] [interface <srv_ifc_name>]
dhcpd wins <winsip1> [<winsip2>] [interface <srv_ifc_name>]
dhcpd lease <lease_length> [interface <srv_ifc_name>]
dhcpd ping_timeout <timeout> [interface <srv_ifc_name>]
dhcpd domain <domain_name> [interface <srv_ifc_name>]
dhcpd option <code> {ascii <string> | hex <hex_string> |
ip <address_1> [<address_2>]} [interface <srv_ifc_name>]
dhcpd enable <srv_ifc_name>
dhcpd auto_config <clnt_if_name> [interface <srv_ifc_name>
dhcpd update dns [both] [override] [interface <srv_ifc_name>]
show dhcpd [binding|statistics]
clear dhcpd
clear dhcpd [binding|statistics]
ciscoasa(config)# dhcpd dns 192.168.1.20 192.168.1.21
ciscoasa(config)# dhcpd wins ?
configure mode commands/options:
Hostname or A.B.C.D IP address of server 1
ciscoasa(config)# dhcpd wins 192.168.1.22 192.168.1.23
ciscoasa(config)# dhcpd domain ?
configure mode commands/options:
WORD DNS domain name
<cr>
ciscoasa(config)# dhcpd domain lagura.com
ciscoasa(config)# dhcpd lease ?
configure mode commands/options:
<300-1048575> The length of lease, in seconds, granted to DHCP client from
the DHCP server, default is 3600
<cr>
ciscoasa(config)# dhcpd lease 86400
ciscoasa(config)# debug dhcpd event ?
<1-255> Specify an optional debug level (default is 1)
<cr>
ciscoasa(config)# debug dhcpd event
debug dhcpd event enabled at level 1
ciscoasa(config)# DHCPD: checking for expired leases.
DHCPD: checking for expired leases.
ciscoasa(config)# dhcpd_create_automatic_binding() adding NP rule for client 192.168.10.10
DHCPD: assigned IP address 192.168.10.10 to client 0178.2bcb.d4a0.85.
ciscoasa(config)# no debug dhcpd event
debug dhcpd event disabled.
ciscoasa(config)# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# show dhcpd ?
exec mode commands/options:
binding Show dhcp bindings
state Show dhcpd state
statistics Show dhcpd statistics
ciscoasa(config)# show dhcpd state
Context Configured as DHCP Server
Interface inside, Configured for DHCP SERVER
Interface outside, Configured for DHCP CLIENT
ciscoasa(config)# show dhcpd binding ?
exec mode commands/options:
all Show all dhcpd bindings
ciscoasa(config)# show dhcpd binding all
IP address Client Identifier Lease expiration Type
192.168.10.10 0178.2bcb.d4a0.85 86240 seconds Automatic
ciscoasa(config)# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 1
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 2
DHCPNAK 0
----
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : lagura.com
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 78-2B-CB-D4-A0-85
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 30, 2013 12:39:59 AM
Lease Expires . . . . . . . . . . : Friday, May 31, 2013 12:39:59 AM
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DHCPv6 IAID . . . . . . . . . . . : 242756555
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-FF-27-59-78-2B-CB-D4-A0-85
DNS Servers . . . . . . . . . . . : 192.168.1.20
192.168.1.21
Primary WINS Server . . . . . . . : 192.168.1.22
Secondary WINS Server . . . . . . : 192.168.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Using Wireshark to capture packets, we're able to observe the DHCP "DORA" process (Discover, Offer, Request, Ack).
No comments:
Post a Comment