Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

DHCP on DMZ interface and ACL deny ip any any

Go to solution
mahesh18
Level 6
Level 6

‎07-06-2013 09:36 AM - edited ‎03-11-2019 07:08 PM

Hi Everyone,

ASA  has DMZ  interface and it has ACL  deny ip any any.

Then it has few ACL that allow http,https,dns, and other traffic from the DMZ  to the outside.

Users are getting IP  from the DHCP pool which is configured for interface DMZ.

Need to know how users are getting IP  on the PC  from the DMZ pool even though DHCP request or broadcast is not allowed under ACL?

Config of ASA is attached.

Regards

MAhesh

Labels:
15363639-asa1.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-06-2013 09:48 AM

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-06-2013 09:49 AM

Hi Mahesh,

The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.

On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎07-06-2013 09:48 AM

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-06-2013 09:49 AM

Hi Mahesh,

The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.

On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎07-07-2013 07:45 AM

Hi Karsten & Jouni,

Thanks for your wonderful explanation.

Best regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card