Solved: reflexive ACL (all outside nothing inside) messing with DHCP lease ?

nlariguet · ‎05-02-2009

problem: needing a reflexive ACL allowing all (originating inside) outside but nothing inside (with my outside int using DHCP)

interface FastEthernet 0/0

ip address dhcp client-id FastEthernet0/0 hostname whatever

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

remark allowing anything originating from witihin the IntraNet to the InterNet

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark denying anything originating from the InterNet to the IntraNet

evaluate aclFWoutsideTemp

deny ip any any log

... after booting the above example works OK; ie: without applying the ACLs

... now adding to FE0/0:

ip access-group aclFWoutsideIncoming in

ip access-group aclFWoutsideOutgoing out

... still works (without rebooting)

... write mem, reload

... stopped working ... sh int FE0/0: the IP address will be negotiaded with blah blah ...

is it possible this reflexive ACL is messing with the DHCP lease process ?

vikram_anumukonda · ‎05-03-2009

you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.

HTH

View solution in original post

ouajih.ouaja · ‎05-02-2009

hi

you still need to allon on the the returning DHCP trafic since the dhcp request initiated by the router is not evaluated by the aclFWoutsideOutgoing !!!

so open a hole on the aclFWoutsideIncoming (it should be source udp port 67 destination udp port 68 ).

hth

regards

nlariguet · ‎05-02-2009

ok; permit udp source port 67 destination udp port 68 before evaluate aclFWoutsideTemp but what will be the actual values for source and destination given that my FE0/0 aka outside is attached to a cable modem and my other int is FE0/1 attached to my IntraNet with a fixed IP ?

vikram_anumukonda · ‎05-02-2009

the source ip-address of return packets in response to DHCP Discovery is that of the DHCP-Server IP-Address

check this link

http://en.wikipedia.org/wiki/DHCP

nlariguet · ‎05-03-2009

first and foremost thanks for the replies !

if I place permit udp any eq bootps any eq bootpc on aclFWoutsideIncoming it fixes the problem; however I prefer to be more specific since this is my edge router so I checked the linked article you suggested

now from linked wiki; this should be the DHCP client-side right (eg: my router FE0/0 aka outside) ?

10 permit udp host 0.0.0.0 eq bootpc host 10.32.73.129 eq bootps

20 permit udp 10.32.73.128 0.0.0.63 eq bootpc host 10.32.73.129 eq bootps

30 permit udp any eq bootpc host 255.255.255.255 eq bootps

assuming the cable modem (DHCP server) is 192.168.100.1 and the default subnet 192.168.100.0:

10 permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps

20 permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps

30 permit udp any eq bootpc host 255.255.255.255 eq bootps

so:

ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps

permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps

permit udp any eq bootpc host 255.255.255.255 eq bootps

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

by the way these three entries are not needed (by the time being) since anyway I'm letting anything outside with permit ip any any right ?

and what about the specific entries on aclFWoutsideIncoming ?

ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark with an exception to allow a DHCP lease from the cable modem

... ?

evaluate aclFWoutsideTemp

deny ip any any log

Am I starting to get this thing right ?

vikram_anumukonda · ‎05-03-2009

you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.

HTH