DHCP on DMZ interface and ACL deny ip any any

Answered Question
Jul 6th, 2013
User Badges:

Hi Everyone,


ASA  has DMZ  interface and it has ACL  deny ip any any.

Then it has few ACL that allow http,https,dns, and other traffic from the DMZ  to the outside.


Users are getting IP  from the DHCP pool which is configured for interface DMZ.


Need to know how users are getting IP  on the PC  from the DMZ pool even though DHCP request or broadcast is not allowed under ACL?

Config of ASA is attached.


Regards


MAhesh

Attachment: 
Correct Answer by Jouni Forss about 4 years 1 month ago

Hi Mahesh,


The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.


On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.


- Jouni

Correct Answer by Karsten Iwen about 4 years 1 month ago

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Karsten Iwen Sat, 07/06/2013 - 09:48
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Correct Answer
Jouni Forss Sat, 07/06/2013 - 09:49
User Badges:
  • Super Bronze, 10000 points or more

Hi Mahesh,


The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.


On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.


- Jouni

mahesh18 Sun, 07/07/2013 - 07:45
User Badges:

Hi Karsten & Jouni,


Thanks for your wonderful explanation.


Best regards


MAhesh

Actions

This Discussion