topic Re: No dhcp through Zone-based Firewall in Network Security

No dhcp through Zone-based Firewall

robertcater3 — Tue, 12 Mar 2019 01:00:50 GMT

Hello!

I have a 2801 that I am using ZBFW on and having issue getting DHCP. My policies are very simple, inspect from insidezone to outside and inspect on ports from outside to insidezone (for my port forwards). With no self zone policies in place I can get dhcp and everything works no problem. I am wondering if there is a way to implement some policies drop inbound connections (stealth mode) without also blocking my dhcp.

Here are the security commands i am entering which enable traffic drops but also block my dhcp-

class-map type inspect match-any class-icmp-1

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any class-dhcp

match protocol bootpc

policy-map type inspect pol-icmpreply

class type inspect class-icmp-1

inspect

class type inspect class-dhcp

pass

class class-default

drop

policy-map type inspect pol-permit

class class-default

pass

zone-pair security self-OUT source self destination OutsideZone

service-policy type inspect pol-icmpreply

zone-pair security OUT-self source OutsideZone destination self

service-policy type inspect pol-permit

I have assigned my outside interface with the OutsideZone as well. The are the only commands I enter that seem to cause my problem. I feel like I am just missing something. I went over all the zone-based firewall guides on the cisco site that I could find but I am sadly lost.

No dhcp through Zone-based Firewall

Jennifer Halim — Thu, 14 Feb 2013 14:27:09 GMT

Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.

Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

No dhcp through Zone-based Firewall

robertcater3 — Thu, 14 Feb 2013 15:00:10 GMT

Thank you Jennifer, I will try this out when I get home. I am just somewhat confused, I can see adding the rule from outside -> self, but wouldnt the udp inspect from self -> outside cover the outgoing?

Re: No dhcp through Zone-based Firewall

robertcater3 — Thu, 14 Feb 2013 18:37:39 GMT

I think I got it worked out by making some changes. I put the pass class-map for dhcp first and then put the inspect class-map in place. Still not sure why it wouldn't work with inspect udp, but I am happy enough to have it working.

policy-map type inspect pol-icmpreply

class type inspect class-dhcp

pass

class type inspect class-icmp-1

inspect

class class-default

drop