reflexive ACL (all outside nothing inside) messing with DHCP lease ?

Answered Question
May 2nd, 2009

problem: needing a reflexive ACL allowing all (originating inside) outside but nothing inside (with my outside int using DHCP)

interface FastEthernet 0/0

ip address dhcp client-id FastEthernet0/0 hostname whatever

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

remark allowing anything originating from witihin the IntraNet to the InterNet

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark denying anything originating from the InterNet to the IntraNet

evaluate aclFWoutsideTemp

deny ip any any log

... after booting the above example works OK; ie: without applying the ACLs

... now adding to FE0/0:

ip access-group aclFWoutsideIncoming in

ip access-group aclFWoutsideOutgoing out

... still works (without rebooting)

... write mem, reload

... stopped working ... sh int FE0/0: the IP address will be negotiaded with blah blah ...

is it possible this reflexive ACL is messing with the DHCP lease process ?

I have this problem too.
0 votes
Correct Answer by vikram_anumukonda about 7 years 8 months ago

you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.

HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ouajih.ouaja Sat, 05/02/2009 - 13:48

hi

you still need to allon on the the returning DHCP trafic since the dhcp request initiated by the router is not evaluated by the aclFWoutsideOutgoing !!!

so open a hole on the aclFWoutsideIncoming (it should be source udp port 67 destination udp port 68 ).

hth

regards

nlariguet Sat, 05/02/2009 - 20:18

ok; permit udp source port 67 destination udp port 68 before evaluate aclFWoutsideTemp but what will be the actual values for source and destination given that my FE0/0 aka outside is attached to a cable modem and my other int is FE0/1 attached to my IntraNet with a fixed IP ?

nlariguet Sun, 05/03/2009 - 08:27

first and foremost thanks for the replies !

if I place permit udp any eq bootps any eq bootpc on aclFWoutsideIncoming it fixes the problem; however I prefer to be more specific since this is my edge router so I checked the linked article you suggested

now from linked wiki; this should be the DHCP client-side right (eg: my router FE0/0 aka outside) ?

10 permit udp host 0.0.0.0 eq bootpc host 10.32.73.129 eq bootps

20 permit udp 10.32.73.128 0.0.0.63 eq bootpc host 10.32.73.129 eq bootps

30 permit udp any eq bootpc host 255.255.255.255 eq bootps

assuming the cable modem (DHCP server) is 192.168.100.1 and the default subnet 192.168.100.0:

10 permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps

20 permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps

30 permit udp any eq bootpc host 255.255.255.255 eq bootps

so:

ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps

permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps

permit udp any eq bootpc host 255.255.255.255 eq bootps

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

by the way these three entries are not needed (by the time being) since anyway I'm letting anything outside with permit ip any any right ?

and what about the specific entries on aclFWoutsideIncoming ?

ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark with an exception to allow a DHCP lease from the cable modem

... ?

evaluate aclFWoutsideTemp

deny ip any any log

Am I starting to get this thing right ?

Correct Answer
vikram_anumukonda Sun, 05/03/2009 - 22:24

you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.

HTH

Actions

This Discussion