Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ZBF and DHCP server on router

Hello all,

On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. Does anybody have idea how to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to. 

Thank you and kind regards,

Marko

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ZBF and DHCP server on router

Please change the ACL a little and it will work.

ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any

Now you are not falling into the pass class.

PK

5 REPLIES
Cisco Employee

Re: ZBF and DHCP server on router

You can match on udp packet ports 67, 68 in a class-map of type inspect.

The you can inspect these packets in a policy-map of type pass under the above class. The action for the rest of the traffic will be by default denied.

The you can apply that policy-map in the out-to-self and self-to out zone pair.

And that should do it.

ip access-list extended dhcp-acl

   permit udp any eq 67 any

   permit udp any any eq 68

class-map type inspect match-all dhcp-cm

  match access-list name dhscp-acl

policy-map type inspect dhcp-pm

  class dhcp-cm

     pass

zone-pair security source outside destination self

   service-policy type inspect dhcp-cm

zone-pair security source self destination outside

   service-policy type inspect dhcp-cm

I hope it helps.

PK

Community Member

Re: ZBF and DHCP server on router

Hello PK,

I have tried your solution and also a few other options in access list, but unfortunately it is not working.

Here is my config:

ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc

class-map type inspect match-all dhcp-cmap
match access-group name dhcp-allow


policy-map type inspect dhcp-pmap
class type inspect dhcp-cmap
  pass
class class-default
  drop


zone-pair security AP2Self source AP destination self
service-policy type inspect dhcp-pmap
zone-pair security Self2AP source self destination AP
    service-policy type inspect dhcp-pmap

and here is the output from firewall log:

053666: Dec 24 17:34:07.361 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0
053667: Dec 24 17:34:40.642 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0

Cisco Employee

Re: ZBF and DHCP server on router

Please change the ACL a little and it will work.

ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any

Now you are not falling into the pass class.

PK

Community Member

Re: ZBF and DHCP server on router

Thank you PK it works great I wish you happy 2010.

Community Member

ZBF and DHCP server on a Cisco 1921 (CISCO1921-SEC)

This is a good solution for a CISCO1921-SEC with CLI configuration - this works well to outside getting the IP from a DOCSIS-DHCP Server and to the own inside dhcp service.

  Thanks !

1920
Views
0
Helpful
5
Replies
CreatePlease to create content