Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2046
Views
0
Helpful
8
Replies

When I enable basic firewall through SDM it breaks DHCP

slerbeton79
Level 1
Level 1

‎02-05-2010 09:29 PM - edited ‎03-04-2019 07:25 AM

First I apologise if this is in wrong location but I am stumped.   Using SDM when I go through the firewall wizard and choose basic firewall, and choose low security, even though it detects my WAN outside interace as dhcp client and prompts to allow DHCP traffic I am unable to receive an IP from my ISP.

My full config is attached

Labels:
60730-vger-firewall.txt.zip
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-06-2010 02:29 AM

Hello Sheldon,

SDM implements a zone based firewall: there is an in-zone = internal interface an out zone = interface  to ISP and self = router

The lines that specify how to behave are:

zone-zone security out-zone
zone security in-zone
pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect

referenced objects:

policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass


class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access

class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp


!the DHCP request should be able to go out on WAN FE that  is in out zone.

!traffic coming back from out zone to router is verified by  the following line:

zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit

! going on invoked objects:

policy-map type inspect sdm-permit
class class-default
  drop
!

traffic coming from out zone and directed to router is dropped add on the CLI:

get enabled access via console or telnet on internal interface

config t

access-list 111 permit udp any any eq bootp

class-map type inspect match-all dhcp-return
match access-group 111

rewrite the policy as:

no policy-map type inspect sdm-permit

! to delete current policy-map

! then add


policy-map type inspect sdm-permit
class dhcp-return
pass
class class-default
  drop

Hope  to help
Giuseppe

0 Helpful

slerbeton79
Level 1
Level 1
In response to Giuseppe Larosa

‎02-06-2010 08:49 AM

Well this change certainly allows dhcp to pass thorugh and I can get an IP from my ISP but it also completely disable the firewall as well... I am trying to keep firewall with the config I have but change it so DHCP traffic is allowed.  The SDM provides a prompt to allow dhcp but doesn't work...

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to slerbeton79

‎02-06-2010 10:29 AM

Hello Sheldon,

>> but it also completely disable the firewall as well.

this is not correct your zone based firewall should be still there just relaxed on bootp traffic.

>> The SDM provides a prompt to allow dhcp but doesn't work...

a workaround has been proposed feel free to not implement it.

Hope to help

Giuseppe

0 Helpful

slerbeton79
Level 1
Level 1
In response to Giuseppe Larosa

‎02-06-2010 11:42 AM

Okay I made a mistake on CLI... the new commands were added but still didn't work, attached is

the new error from dhcp i get....

5 KB
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to slerbeton79

‎02-06-2010 12:15 PM

Hello Sheldon,

I would say that these error messages demonstrate that now the router can receive bootp packets on the WAN interface associated to out-zone.

It should be interesting to see if your router is able to send out its own DHCP requests.

if you access the router from console you can do the following:

enable the dhcp debugging

shut the WAN fastethernet

enable it again

let's see if shows its own packets sent out

also check with sh interface fasx/y what MAC address is on your interface to see if really these messages are out of context.

where fasx/y is the WAN facing interface

Hope to help

Giuseppe

0 Helpful

slerbeton79
Level 1
Level 1
In response to Giuseppe Larosa

‎02-06-2010 01:00 PM

Okay so here's the screen shot of the dhcp log and result of sh int as well as the new config file

60750-vger-new-firewall.zip
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to slerbeton79

‎02-06-2010 01:22 PM

Hello Sheldon,

I don't see applied the new service-policy sdm-permit:

zone-pair security sdm-zp-out-self source out-zone destination self

it should be changed in:

zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit

Hope to help

Giuseppe

0 Helpful

slerbeton79
Level 1
Level 1
In response to Giuseppe Larosa

‎02-06-2010 02:03 PM

okay attached is updated config, but still getting the received bootrep pkt Not for US error.  Any more ideas?

60748-vger-test.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card