topic DHCP Problem with ASA 5505 in Network Security

DHCP Problem with ASA 5505

Jon Barbee — Tue, 12 Mar 2019 04:00:36 GMT

Hi. I have an ASA 5505 configured for Transparent Mode. The Outside interface connects to a router (RV042). The router manages DHCP. With the 5505 in the system, all computers can connect to the internet and to each other, except for a few. The problem computers can be made to work if they are set to a specific address, rather than automatically assigned by the router. Some of the iPads work correctly, some do not. At least one Apple Notebook cannot connect even if I enter a static address.

Consulting the documentation, I found that DHCP traffic (UPD Port 67 and 68) needed to be enabled via rules for the Inside and Outside interfaces. I did that in ASDM but now nothing works.

I have pulled the 5505 out of the system and restored it to the configuration that worked for most of the computers.

Any suggestions would be appreciated. I can pull a "show" run from CLI if it is useful.

Thanks...

hi jerry,could you post a

johnlloyd_13 — Sun, 30 Mar 2014 02:27:06 GMT

hi jerry,

could you post a show run?

you'll need an inbound and outbound ACL for DHCP to work:

outside_in extended permit udp host <DHCP SVR IP> any eq bootpc
inside_out extended permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
inside_out extended permit udp any <DHCP SVR IP> eq bootps

access-group outside_in in interface outside
access-group inside_out out interface inside

Hello, So adding the John,

Julio Carvajal — Mon, 31 Mar 2014 00:49:26 GMT

Hello,

So adding the John,

The actual ACLs u will need are

outside_in extended permit udp host <DHCP SVR IP> any eq 68

Any other service you need from out to in will need to be permited here

inside_out extended permit udp host 0.0.0.0 host 255.255.255.255 eq 67

inside_out extended permit ip any any (Otherwise all internal traffic going to the outside world will be denied)

If u dont add that u might end breaking everything as you said

access-group outside_in in interface outside
access-group inside_out out interface inside

Regards,

Thanks for the help on this.

Jon Barbee — Mon, 31 Mar 2014 02:42:58 GMT

Thanks for the help on this. I have entered the commands in the responses to this posting. Unfortunately, the DHCP traffic is not going through. Attached is a show current-config file.

I'm sure I missed something...just don't know what.

Best regards...

As I said before with that

Julio Carvajal — Mon, 31 Mar 2014 02:55:55 GMT

As I said before with that ACL you are closing all other traffic from inside to outside, Quite sure that will get you in problems if this is a production box.

Now, for the ACL the lines I sent are the ones needed

Are you sure the traffic actually commes from Inside to outside and not backwards??

If the answer is yes, then do a capture on both interfaces matching only DHCP Packets

Regards

Jcarvaja

Understood. I tried adding

Jon Barbee — Mon, 31 Mar 2014 15:16:15 GMT

Understood. I tried adding the "inside_out extended permit ip any any" command, but it made no difference. Because the implicit rule (permit ip traffic to any less secure interface) is still in the access list table, it would seem the additional extended rule is not needed.

When I first received the 5505, it had an older version of firmware. At the time, when I entered any rule in ASDM it deleted the "less secure" implicit rule, which then broke the system since there was no path for internet traffic from inside to outside, as you have stated. With the newest firmware release, however, when I enter a rule, the "less secure" implicit rule does not go away.

So, with help from the folks here I have made progress. Right now the issue is that when the 5505 in Transparent Mode is between the router and user computers, the computers cannot reliably get addresses that are auto-assigned by the router.

Looking through the logs displayed on ASDM, I noticed the following curious statement:

"6 Mar 31 2014 07:16:42 fe80::1131:41c2:3627:8339 63575 ff02::1:3 5355 No management IP address configured for transparent firewall. Dropping protocol UDP packet from outside:fe80::1131:41c2:3627:8339/63575 to inside:ff02::1:3/5355"

However, I have configured a management IP address, and it is listed in the "show" document that I posted yesterday:

!
interface BVI1
ip address 192.168.1.10 255.255.255.0
!

So, I am confused.

I appreciate the help. I am new to the 5505, although I participated as a "friendly" in the ASA program some years ago. I recall a similar problem with that setup. Regrettably, I can't remember how we fixed it...

Regards...

The issue you are having is

Marius Gunnerud — Tue, 01 Apr 2014 14:34:16 GMT

The issue you are having is because of how DHCP sends requests. It sends requests to the address of 0.0.0.0 255.255.255.255. Now I don't know why the security levels do not apply to the DHCP request, but for some reason it doesn't. this means you need an access list applied to the inside interface in the inbound direction. this ACL needs to have a source of any with a destination of the router. Now keep in mind that the inside hosts should be able so access the internet so if I were you I would consider putting a permit IP any any on the inside interface and then if required, place deny statements above the permit. You do not need the outbound ACL on the inside interface to remove that. Your ACL statements should look something like this (I am assuming the DHCP range is 192.168.1.0/24:

access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 67

access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 68

access-list IN-TO-OUT permit ip any any

access-group IN-TO-OUT in interface inside

access-group OUT-TO-IN in interface outside

Please remember to rate and select a correct answer

Regarding: access-list IN-TO

euchredog — Tue, 08 Apr 2014 20:27:19 GMT

Regarding: access-list IN-TO-OUT permit ip any any

I'm struggling with this problem myself right now. There is something about this ACL that seems a little off to me. It works, yes. In fact, I got it to work without even doing the OUT-TO-IN ACL. The thing I am uncomfortable with is an ACL that permits ABSOLUTELY EVERYTHING! Doesn't this circumvent the other security policies I have configured on my ASA?

Well, if you think about it,

Marius Gunnerud — Wed, 09 Apr 2014 12:08:19 GMT

Well, if you think about it, lets say we remove that any any ACL and just let the security levels do their work (which for some reason doesn't work on the DHCP packets) you are still allowing everything from a higher security level to a lower security level...so in essence a permit any any statement from the inside network to the outside. The other security policies are not affected...but then again from your configuration you posted, you don't have much configured on there.

It is a very common practice to permit everything from the inside network out, as it is "supposed" to be a secure network. However, if you are uncomfortable doing this you can always tighten the security a bit by only allowing traffic with a source address of 192.168.1.0/24. So your ACLs would look something like this:

access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 67

access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 68

access-list IN-TO-OUT permit ip 192.168.1.0 255.255.255.0 any

This will allow the initial DHCP packets through then limit any further traffic to the internet or otherwise to having a source address within the 192.168.1.0/24 subnet.

Please remember to rate and select a correct answer

Makes complete sense. Thank

euchredog — Thu, 10 Apr 2014 12:55:23 GMT

Makes complete sense. Thank you for your quick and detailed response.

Any time , Let us know if

Marius Gunnerud — Thu, 10 Apr 2014 15:47:43 GMT

Any time , Let us know if you need further help

Please remember to rate and select a correct answer