Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco 2621 ACL filtering DHCP?

I have a 2621 with a WIC-1ADSL that connects to my ISP.  Since the 2621 has 2 ethernet ports, I wanted to setup a network on the second ethernet port for testing things such as VPN into my network via my ASA5505.  I have a DHCP pool set on the particular network but cannot get a client to get an address from the router.  I think I might have an ACL that is blocking or need an ACL to allow bootp on the interface.  Here is the config:

Building configuration...

Current configuration : 4144 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname r01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 SECRET

enable password 7 password

!
clock timezone Central -6
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authorization commands 15 default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip options drop
ip cef
ip cef accounting per-prefix non-recursive prefix-length
!
!
ip dhcp excluded-address 10.1.100.1 10.1.100.3
!
ip dhcp pool DHCP_POOL
   network 10.1.100.0 255.255.255.0
   default-router 10.1.100.1
   dns-server 4.2.2.1 4.2.2.2
!
ip audit po max-events 100
vpdn enable
!

username XXXXX password 7 password

!
ip tcp selective-ack
ip tcp mss 536
ip tcp window-size 5360
ip ssh time-out 60
ip ssh authentication-retries 2

!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface ATM0/0 [connected to phone line]
description Physical DSL Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
pvc 0/XX
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0/0 [connected to outside interface of ASA5505]
description Frontier Communication Static IP
ip address aa.bb.cc.dd 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache same-interface
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
hold-queue 100 out
!
interface FastEthernet0/1
description Intermediate DMZ
ip address 10.1.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache same-interface
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
hold-queue 100 out
!

interface Dialer1
ip address negotiated
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username username password 7 password

!
ip nat inside source list 101 interface Dialer1 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging trap debugging
logging facility local2
access-list 101 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
!

....
end

When I try to get an ip address from a client, I never receive one.  But when I issue dhcp server statistics, I can see packets hitting the interface:

r01#sh ip dhcp server statistics
Memory usage         14050
Address pools        1
Database agents      0
Automatic bindings   0
Manual bindings      0
Expired bindings     0
Malformed messages   0
Secure arp entries   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         68
DHCPREQUEST          5
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            0
DHCPACK              0
DHCPNAK              5

Any help?  Am I blocking this with an ACL?

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
3 REPLIES
New Member

Cisco 2621 ACL filtering DHCP?

Can you try defining second dhcp pool for ASA subnet

New Member

Cisco 2621 ACL filtering DHCP?

Sorry, just wanted to specify that I have everthing on the inside of the ASA setup.  The configuration would look like:

Internet

     |

2621  ---  Test network (10.1.100.x)

     |

ASA

     |

Internal Network

All I want the 2621 to do is hand out dhcp to the 10.1.100.x network.  Its address is 10.1.100.1, there is a WAP200 at 10.1.100.3 and a PC for testing on 10.1.100.2.  The WAP200 does not do dhcp so I am reliant on the 2621 and thus the exclusion command for the ip pool for my devices.

I removed ACL 101 and the nat statement and issued the ACL 2 commands as you stated.  It still does not work.  I have removed the ACL 2 now also and see if it works without anything, just free and open and it still does not work.

I can only telnet or ssh into the 2621 so not sure if the debug commands will show me anything.

I did get it to work now.  Overlooked the fact that my dhcp pool was network 10.1.100.0 and it needed to be 10.1.101.0.  Then the router started handing out ip's but not routing/nat to the internet or internal networks.  I added:

access-list 100 permit ip 10.1.101.0 0.0.0.255 any

ip nat inside source list 100 interface dialer1 overload

interface fa0/1

ip nat inside

interface dialer1

ip nat outside

Works now.  Thanks.

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Purple

Cisco 2621 ACL filtering DHCP?

Hi,

ip nat inside source list 101 interface Dialer1 overload

access-list 101 permit udp any any eq bootpc

This will only nat DHCP replies and nothing else but you don't have an inside DHCP server allocating addresses to the outside world so if you want clients to go on the internet you should change this ACL 101 and just put a standard ACL:

access-list 2 permit 10.1.101.0 0.0.0.255

access-list 2 permit aa.bb.cc.xx 0.0.0.3

Now concerning the DHCP addresses problem, your clients are on the inside interface of the ASA ?

So can you provide the ASA config as well as the output fromthese 2 on the router:

-debug ip dhcp server events

-debug ip dhcp server packets

Regards.

Alain

Don't forget to rate helpful posts.
735
Views
0
Helpful
3
Replies
CreatePlease to create content