Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP WAN vs. CBAC hardening

I'm setting up my router using the cisco cablemodem card. It was all working fine until I started hardening the router. In particular, I set up CBAC and set the incoming interface to deny all ip requests. Since cable provider uses DHCP to provision addresses, I'm suspecting that I'm blocking replies from the DHCP server. Any one run into something similar and have a secure solution?

Thanks,

Greg

3 REPLIES
Hall of Fame Super Silver

Re: DHCP WAN vs. CBAC hardening

Hello Greg,

DNS requests use UDP port 53

you may need to enable UDP protocol inspection

With UDP inspection configured, replies will only be permitted back in through the firewall if they are

received within a configurable time after the last request was sent out. (This time is configured with the

ip inspect udp idle-time command.)

But the DHCP request is generated on the wan interface itself not on the private interface (protected network) so you may need an inbound extended ACL with two statements to permit incoming DHCP traffic and deny everything else.

Temporary openings will be made by CBAC for return traffic to the protected network.

Hope to help

Giuseppe

New Member

Re: DHCP WAN vs. CBAC hardening

Thanks Giuseppe, that's what I was suspecting. Since the packets are originating on the WAN side, I couldn't figure out how to have the rules be safe. The DHCP packets are broadcasts and without CBAC, it isn't clear how to relate what comes in to what went out. What are the two rules you had in mind?

Thanks,

Greg

Hall of Fame Super Silver

Re: DHCP WAN vs. CBAC hardening

Hello Greg,

I was thinking of an extended ACL to be applied inbound on the WAN interface made of three statements:

access-list 161 permit udp any any bootp

access-list 161 deny tcp any any

access-list 161 deny udp any any

I understand that is not the best from a security point of view but you need to get a public ip address on the WAN interface: without it your router is isolated.

I would try this to see if it allows to get an ip address and still protects the private network from TCP and UDP flows started from the outside world.

Hope to help

Giuseppe

275
Views
5
Helpful
3
Replies