I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside. I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67. That actually works and the inside device gets an IP address. The problem is that no other outbound traffic is allowed from the inside device. The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic. DHCP is now the ONLY thing allowed out. What am I doing wrong here?
In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in. It would just work, but you would have very little control of packet flows, static NAT, or logging.
Once you start applying ACL's to interfaces, you have to explicitly allow everything you want. All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:
access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0 access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log access-list DMZ-INGRESS extended permit ip any any
Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any". I won't include the object groups unless someone asks.
I saw you posted on one of the other question I was answering on a similar issue, As Jim has mentioned you would also need to permit traffic for the host after it has recieved an IP. So if your DHCP leased subnet is 192.168.1.0/24, the ACL you would have applied to the inside interface in the inbound direction would be like this:
Something is still not right here. In order to get this to work, I had to put an ACL on the outside interface to let the DHCP offer and ack messages back in, along with any other response traffic. I think it has to be a permit ip any any. This can't be right. It completely bypasses all of the stateful inspection. I might as well not have a firewall if I'm going to do that. It seems like the only good solution here is to move the DHCP server to the inside.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :