Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking DHCP at ASA

Good Day,

I have seven subnets that previously used public IPs exclusively w/helper addresses configured on a router that I *do not* control.

We recently installed an ASA 5550 to do nothing more than perform NAT for five on the subnets, the other two retain the use of public IPs.

The DHCP server we planned to use is on a public IP subnet. The ethernet port on this box is configured for Dot1q trunking and listens on all ports for DHCP broadcasts.

The problem, or peculiarity, I'm seeing is that the DHCP requests hit the server twice--once as a simple broadcast and again after passing through the ASA, hitting the router and being directed by the helper address. (all this in spite of using the ASA as an interim DHCP server)

I could request that the helper addresses be removed, but my first thought was to simply block port 67 and 68 from passing through the ASA. I have applied the "nodhcpout" acl to both inside and outside interfaces, but the traffic still passes. I have also disabled same-security traffic with the same result.

Any insight is appreciated. Here's the config from one context:


nat/vlan540# sh run

: Saved


ASA Version 8.0(4) <context>


hostname vlan540


enable password




interface GigabitEthernet0/1

nameif 54lowerout

security-level 0

ip address


interface GigabitEthernet1/0.3

nameif 54lowerin

security-level 0

ip address


dns domain-lookup 54lowerout

dns server-group DefaultDNS



access-list allow extended permit ip any any

access-list nodhcpout extended deny udp any any eq bootps

access-list nodhcpout extended deny udp any any eq bootpc

access-list nodhcpout extended permit ip any any

pager lines 24

logging enable

logging trap alerts

logging host 54lowerout x.x.x.x

logging message 305012 level alerts

logging message 305011 level alerts

logging message 305010 level alerts

logging message 305009 level alerts

mtu 54lowerout 1500

mtu 54lowerin 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (54lowerout) 1 x.x.x.x netmask

global (54lowerout) 1 x.x.x.x

nat (54lowerin) 1

access-group allow in interface 54lowerout

access-group allow out interface 54lowerout

access-group nodhcpout in interface 54lowerin

access-group nodhcpout out interface 54lowerin

route 54lowerout x.x.x.x 1

timeout xlate 0:06:00

timeout conn 0:06:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh x.x.x.0 54lowerout

ssh timeout 15

dhcpd dns x.x.x.x

dhcpd lease 1800


dhcpd address 54lowerin

dhcpd enable 54lowerin


no threat-detection statistics tcp-intercept


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end


CreatePlease to create content