In a default configuration

euchredog · ‎04-08-2014

I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside. I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67. That actually works and the inside device gets an IP address. The problem is that no other outbound traffic is allowed from the inside device. The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic. DHCP is now the ONLY thing allowed out. What am I doing wrong here?

James Leinweber · ‎04-09-2014

In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in. It would just work, but you would have very little control of packet flows, static NAT, or logging.

Once you start applying ACL's to interfaces, you have to explicitly allow everything you want. All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:

access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0
access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log
access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log
access-list DMZ-INGRESS extended permit ip any any

Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any". I won't include the object groups unless someone asks.

-- Jim Leinweber, WI State Lab of Hygiene

Marius Gunnerud · ‎04-10-2014

I saw you posted on one of the other question I was answering on a similar issue, As Jim has mentioned you would also need to permit traffic for the host after it has recieved an IP. So if your DHCP leased subnet is 192.168.1.0/24, the ACL you would have applied to the inside interface in the inbound direction would be like this:

access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 67

access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 68

access-list IN-TO-OUT permit ip 192.168.1.0 255.255.255.0 any

access-group IN-TO-OUT in interface inside

Depending on your security policies you can either use permit IP any any or specify the source subnet to be allowed access out.

--

Pease remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

euchredog · ‎04-21-2014

Something is still not right here. In order to get this to work, I had to put an ACL on the outside interface to let the DHCP offer and ack messages back in, along with any other response traffic. I think it has to be a permit ip any any. This can't be right. It completely bypasses all of the stateful inspection. I might as well not have a firewall if I'm going to do that. It seems like the only good solution here is to move the DHCP server to the inside.

Marius Gunnerud · ‎04-29-2014

Hi,

sorry for late reply as I have been away for a few weeks now.

You do not require a permit IP any any on the outside interface but, you might need an ACL permitting the router IP to send DHCP return traffic to destination 0.0.0.0.

--

Pease remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Transparent Firewalls and DHCP on a 5510 ASA