Blocking DHCP at ASA

Unanswered Question
Feb 18th, 2009

Good Day,


I have seven subnets that previously used public IPs exclusively w/helper addresses configured on a router that I *do not* control.


We recently installed an ASA 5550 to do nothing more than perform NAT for five on the subnets, the other two retain the use of public IPs.


The DHCP server we planned to use is on a public IP subnet. The ethernet port on this box is configured for Dot1q trunking and listens on all ports for DHCP broadcasts.


The problem, or peculiarity, I'm seeing is that the DHCP requests hit the server twice--once as a simple broadcast and again after passing through the ASA, hitting the router and being directed by the helper address. (all this in spite of using the ASA as an interim DHCP server)


I could request that the helper addresses be removed, but my first thought was to simply block port 67 and 68 from passing through the ASA. I have applied the "nodhcpout" acl to both inside and outside interfaces, but the traffic still passes. I have also disabled same-security traffic with the same result.


Any insight is appreciated. Here's the config from one context:


********


nat/vlan540# sh run

: Saved

:

ASA Version 8.0(4) <context>

!

hostname vlan540

domain-name domain.com

enable password

passwd

names

!

interface GigabitEthernet0/1

nameif 54lowerout

security-level 0

ip address xxx.xxx.xxx.2 255.255.255.128

!

interface GigabitEthernet1/0.3

nameif 54lowerin

security-level 0

ip address 172.18.0.1 255.255.0.0

!

dns domain-lookup 54lowerout

dns server-group DefaultDNS

name-server xxx.xxx.xxx.x

domain-name domain.com

access-list allow extended permit ip any any

access-list nodhcpout extended deny udp any any eq bootps

access-list nodhcpout extended deny udp any any eq bootpc

access-list nodhcpout extended permit ip any any

pager lines 24

logging enable

logging trap alerts

logging host 54lowerout x.x.x.x

logging message 305012 level alerts

logging message 305011 level alerts

logging message 305010 level alerts

logging message 305009 level alerts

mtu 54lowerout 1500

mtu 54lowerin 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (54lowerout) 1 x.x.x.x netmask 255.255.255.128

global (54lowerout) 1 x.x.x.x

nat (54lowerin) 1 172.18.0.0 255.255.0.0

access-group allow in interface 54lowerout

access-group allow out interface 54lowerout

access-group nodhcpout in interface 54lowerin

access-group nodhcpout out interface 54lowerin

route 54lowerout 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:06:00

timeout conn 0:06:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh x.x.x.0 255.255.255.128 54lowerout

ssh timeout 15

dhcpd dns x.x.x.x

dhcpd lease 1800

!

dhcpd address 172.18.0.10-172.18.1.9 54lowerin

dhcpd enable 54lowerin

!

no threat-detection statistics tcp-intercept


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:194296e16f28f367fd9988f2289b15bd

: end

nat/vlan540#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion