Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5505 Port 68 issue - cannot block it on the wan/outside interface - V 8.4.7

Hello,

I setup my ASA5505 to get the public IP address from the outside/wan ( my cable provider via DHCP) interface 0/0 on vlan 90 and the inside interface gives dhcp addresses to my local lan. I have denied all the traffic on the outside interface coming in and allowed domain/http/https from the inside to anywhere.

 

I ran the packet tracer and I noticed that if the traffic comes from any ip on the outside targeting UDP port 68 or 67  (broadcast traffic) is allowed and I see the packets being built even tho my outside ACL is deny any any - not sure how to resolve the issue as I gave up on all the solutions :/

interface Ethernet0/0

*outside facing the internet*
 switchport access vlan 90
!
interface Ethernet0/1

*inside*
 switchport access vlan 50

interface Vlan50
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan90
 description OUTSIDE to Internet
 nameif outside
 security-level 0
 ip address dhcp setroute

 

dhcpd address 192.168.50.101-192.168.50.202 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp

service-policy global_policy global

packet-tracer input outside udp 150.50.50.50 1234 255.255.255.255 68 detailed

 

Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca2a13a0, priority=13, domain=punt, deny=false
        hits=3, user_data=0xca2a1430, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca2830b0, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow

 

This should not be allowed as I have a deny any any on the outside interface

 

Everyone's tags (2)
4 REPLIES
Super Bronze

Hi, Can you show the actual

Hi,

 

Can you show the actual "access-list" and "access-group" configurations?

 

show run access-list

 

show run access-group

 

My own ASA 5505 running 8.4(5) blocks the above mentioned "packet-tracer" output. I wonder if its in any way related to the WAN interface being set as a DHCP Client? Though if I am not wrong the port UDP/68 should only be destination port for connections to the DHCP server.

 

Have you tried to make a separate ACL and attach it to the WAN interface as a "control-plane" ACL that blocks/permits traffic to the actual ASA interface?

You attach it to the interface with the command

 

access-group <acl name> in interface <interface name> control-plane

 

You can naturally have a normal interface ACL that controls traffic "through the box" and a "control-plane" ACL that controls traffic "to the box".

 

- Jouni

New Member

Hello, I have tried to put

Hello,

 

I have tried to put the control plane acl but without any luck, this is driving me crazy as I feel someone can run a dhcp attack and my firewall will build those msgs, I don't even see the hits when I run the packet tracer on the new ACL, here is my config:

 

If I remove the ip address dhcp setroute then everything is normal, not sure if its even possible to block this type of traffic

 

object network INSIDE-NETWORKS
 subnet 192.168.50.0 255.255.255.0
object-group service MY-PORTS
 service-object tcp-udp destination eq domain
 service-object tcp destination eq www
 service-object tcp destination eq https

 

access-list inside_acl extended permit object-group MY-PORTS object INSIDE-NETWORKS any
access-list inside_acl extended permit ip object INSIDE-NETWORKS object INSIDE-NETWORKS
access-list outside_acl extended deny ip any any

**new control plane acl**

access-list cpl-acl; 1 elements; name hash: 0xe068185
access-list cpl-acl line 1 extended deny udp any any log informational interval 300 (hitcnt=0) 0xcfe2e0a1

 

access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group cpl-acl in interface outside control-plane

 

 


 

Hi,I believe this is because

Hi,

I believe this is because of the ip address dhcp enabled on the outside interface. I do not get such packet-tracer output in a statically assigned environment. But if you apply the ACL to the control-plane it is applicable to the box which might affect the dhcp assignment to your Outside interface.

UDP port number 67 is the destination port of a server & UDP port number 68 is used by the client.

 

Regards

Karthik

New Member

Yes I tested on another ASA

Yes I tested on another ASA that has a static IP and the traffic is dropped - I don't like the fact that those broadcast messages are being built even tho I am blocking everything, hence someone could use my ip as a target for dhcp attacks if they spoof their source

289
Views
0
Helpful
4
Replies
CreatePlease to create content