Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DHCP on DMZ interface and ACL deny ip any any

Hi Everyone,

ASA  has DMZ  interface and it has ACL  deny ip any any.

Then it has few ACL that allow http,https,dns, and other traffic from the DMZ  to the outside.

Users are getting IP  from the DHCP pool which is configured for interface DMZ.

Need to know how users are getting IP  on the PC  from the DMZ pool even though DHCP request or broadcast is not allowed under ACL?

Config of ASA is attached.

Regards

MAhesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

DHCP on DMZ interface and ACL deny ip any any

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Super Bronze

Re: DHCP on DMZ interface and ACL deny ip any any

Hi Mahesh,

The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.

On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.

- Jouni

3 REPLIES
VIP Purple

DHCP on DMZ interface and ACL deny ip any any

On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Super Bronze

Re: DHCP on DMZ interface and ACL deny ip any any

Hi Mahesh,

The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.

On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.

- Jouni

Community Member

DHCP on DMZ interface and ACL deny ip any any

Hi Karsten & Jouni,

Thanks for your wonderful explanation.

Best regards

MAhesh

257
Views
0
Helpful
3
Replies
CreatePlease to create content