Hello,

So adding the John,

The actual ACLs u will need are

outside_in extended permit udp host <DHCP SVR IP> any eq 68

Any other service you need from out to in will need to be permited here

inside_out extended permit udp host 0.0.0.0 host 255.255.255.255 eq 67

inside_out extended permit ip any any (Otherwise all internal traffic going to the outside world will be denied)

If u dont add that u might end breaking everything as you said

access-group outside_in in interface outside
access-group inside_out out interface inside

Regards,

Thanks for the help on this. I have entered the commands in the responses to this posting. Unfortunately, the DHCP traffic is not going through. Attached is a show current-config file.

I'm sure I missed something...just don't know what.

Best regards...
 

Understood. I tried adding the "inside_out extended permit ip any any" command, but it made no difference. Because the implicit rule (permit ip traffic to any less secure interface) is still in the access list table, it would seem the additional extended rule is not needed.

When I first received the 5505, it had an older version of firmware. At the time, when I entered any rule in ASDM it deleted the "less secure" implicit rule, which then broke the system since there was no path for internet traffic from inside to outside, as you have stated. With the newest firmware release, however, when I enter a rule, the "less secure" implicit rule does not go away.

So, with help from the folks here I have made progress. Right now the issue is that when the 5505 in Transparent Mode is between the router and user computers, the computers cannot reliably get addresses that are auto-assigned by the router.

Looking through the logs displayed on ASDM, I noticed the following curious statement:

"6 Mar 31 2014 07:16:42  fe80::1131:41c2:3627:8339 63575 ff02::1:3 5355 No management IP address configured for transparent firewall. Dropping protocol UDP packet from outside:fe80::1131:41c2:3627:8339/63575 to inside:ff02::1:3/5355"

However, I have configured a management IP address, and it is listed in the "show" document that I posted yesterday:

!
interface BVI1
 ip address 192.168.1.10 255.255.255.0
!

So, I am confused.

I appreciate the help. I am new to the 5505, although I participated as a "friendly" in the ASA program some years ago. I recall a similar problem with that setup. Regrettably, I can't remember how we fixed it...

Regards...

The issue you are having is because of how DHCP sends requests.  It sends requests to the address of 0.0.0.0 255.255.255.255.  Now I don't know why the security levels do not apply to the DHCP request, but for some reason it doesn't.  this means you need an access list applied to the inside interface in the inbound direction.  this ACL needs to have a source of any with a destination of the router.  Now keep in mind that the inside hosts should be able so access the internet so if I were you I would consider putting a permit IP any any on the inside interface and then if required, place deny statements above the permit. You do not need the outbound ACL on the inside interface to remove that.  Your ACL statements should look something like this (I am assuming the DHCP range is 192.168.1.0/24:

access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 67

access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 68

access-list IN-TO-OUT permit ip any any

access-group IN-TO-OUT in interface inside

access-group OUT-TO-IN in interface outside

--

Please remember to rate and select a correct answer