05-02-2009 09:27 AM - edited 03-11-2019 08:26 AM
problem: needing a reflexive ACL allowing all (originating inside) outside but nothing inside (with my outside int using DHCP)
interface FastEthernet 0/0
ip address dhcp client-id FastEthernet0/0 hostname whatever
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
ip access-list extended aclFWoutsideOutgoing
remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic
remark allowing anything originating from witihin the IntraNet to the InterNet
permit ip any any reflect aclFWoutsideTemp
deny ip any any log
ip access-list extended aclFWoutsideIncoming
remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic
remark denying anything originating from the InterNet to the IntraNet
evaluate aclFWoutsideTemp
deny ip any any log
... after booting the above example works OK; ie: without applying the ACLs
... now adding to FE0/0:
ip access-group aclFWoutsideIncoming in
ip access-group aclFWoutsideOutgoing out
... still works (without rebooting)
... write mem, reload
... stopped working ... sh int FE0/0: the IP address will be negotiaded with blah blah ...
is it possible this reflexive ACL is messing with the DHCP lease process ?
Solved! Go to Solution.
05-03-2009 10:24 PM
you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.
HTH
05-02-2009 01:48 PM
hi
you still need to allon on the the returning DHCP trafic since the dhcp request initiated by the router is not evaluated by the aclFWoutsideOutgoing !!!
so open a hole on the aclFWoutsideIncoming (it should be source udp port 67 destination udp port 68 ).
hth
regards
05-02-2009 08:18 PM
ok; permit udp source port 67 destination udp port 68 before evaluate aclFWoutsideTemp but what will be the actual values for source and destination given that my FE0/0 aka outside is attached to a cable modem and my other int is FE0/1 attached to my IntraNet with a fixed IP ?
05-02-2009 10:40 PM
the source ip-address of return packets in response to DHCP Discovery is that of the DHCP-Server IP-Address
check this link
05-03-2009 08:27 AM
first and foremost thanks for the replies !
if I place permit udp any eq bootps any eq bootpc on aclFWoutsideIncoming it fixes the problem; however I prefer to be more specific since this is my edge router so I checked the linked article you suggested
now from linked wiki; this should be the DHCP client-side right (eg: my router FE0/0 aka outside) ?
10 permit udp host 0.0.0.0 eq bootpc host 10.32.73.129 eq bootps
20 permit udp 10.32.73.128 0.0.0.63 eq bootpc host 10.32.73.129 eq bootps
30 permit udp any eq bootpc host 255.255.255.255 eq bootps
assuming the cable modem (DHCP server) is 192.168.100.1 and the default subnet 192.168.100.0:
10 permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps
20 permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps
30 permit udp any eq bootpc host 255.255.255.255 eq bootps
so:
ip access-list extended aclFWoutsideOutgoing
remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic
permit udp host 0.0.0.0 eq bootpc host 192.168.100.1 eq bootps
permit udp 192.168.100.0 0.0.0.255 eq bootpc host 192.168.100.1 eq bootps
permit udp any eq bootpc host 255.255.255.255 eq bootps
permit ip any any reflect aclFWoutsideTemp
deny ip any any log
by the way these three entries are not needed (by the time being) since anyway I'm letting anything outside with permit ip any any right ?
and what about the specific entries on aclFWoutsideIncoming ?
ip access-list extended aclFWoutsideIncoming
remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic
remark with an exception to allow a DHCP lease from the cable modem
... ?
evaluate aclFWoutsideTemp
deny ip any any log
Am I starting to get this thing right ?
05-03-2009 10:24 PM
you will have to configure the access-list "aclFWoutsideIncoming " only to permit returning DHCP Traffic as the DCHP traffic originating from the router cannot be filtered with ACL's.
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: