topic Re: 6500 DHCP ISSUE in Network Security

6500 DHCP ISSUE

John Apricena — Mon, 11 Mar 2019 22:03:46 GMT

Hello All,

I am having an issue do DHCP from the 6500, and was hoping someone cant help. So, I tried to setup DHCP from the FWSM to the clients and this worked fine with giving out the IP, however the gateway for devices on the inside is supposed to be the 6500, not the FWSM, which is why the clinets wouldn't get out to the internet. Do I need to set up DHCP relay on the FWSM or does anyone know the way I can setup DHCP on the 6500 to give out IP's to the clients. Again just to reiterate, when I setup DHCP on the FWSM the clinets get the IP's but do not get out to the internet and when I setup DHCP on the 6500 the clients do not get an IP. Also I know tghis is a dhcp issue becasue when I assign a static address on the network the clients get out fine. Thanks in advance for the help!

6500 Config

ip dhcp pool TEST

network 1.1.1.0 255.255.255.0

default-router 1.1.1.1

dns-server x.x.x.x y.y.y.y

FWSM Config

FWSM/TEST# show run

interface Vlan3

nameif outside9

bridge-group 1

security-level 0

interface Vlan203

nameif inside9

bridge-group 1

security-level 100

interface BVI1

ip address 1.1.1.4 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

access-list INSIDE1_IN extended permit ip any any

global (outside1) 1 x.x.x.x

nat (inside1) 1 1.1.1.0 255.255.255.0

access-group INSIDE1_IN in interface inside1

route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1

FWSM/TEST#

6500 DHCP ISSUE

John Apricena — Mon, 19 Dec 2011 19:26:46 GMT

Also this is the error I get in the logs of the FWSM. The pool stats at 100.

Deny inbound udp src outside9:1.1.1.2/67 dst inside9:1.1.1.100/68

6500 DHCP ISSUE

cadet alain — Mon, 19 Dec 2011 19:57:59 GMT

Hi,

could you post your topology.

The DHCP reply from the server is blocked on the FWSM : Deny inbound udp src outside9:1.1.1.2/67 dst inside9:1.1.1.100/68

Regards.

Alain

Re: 6500 DHCP ISSUE

John Apricena — Mon, 19 Dec 2011 21:00:07 GMT

Hello Alain,

Thanks for your quick response. I attached a Diagram of the layout. Just to let you know this is an FWSM with many virtual contexts and most including this one that are Transparent. I understand that I need an access-list on both ends to specifiy so the FWSM opens it, I am just having issue because the FWSM sees this as unsual traffic and the access-list needs to be on-point to work. Thank you for the response and I'll look forward to hearing back from you.

Re: 6500 DHCP ISSUE

John Apricena — Tue, 20 Dec 2011 15:08:45 GMT

This question was in the Switching section but I moved it into the Firewall section seeing as this is an access-list issue. Any help would be greatly appreciated thank you!

6500 DHCP ISSUE

cadet alain — Tue, 20 Dec 2011 15:24:10 GMT

Hi,

I've never implemented transparent firewall but I'll do some research and if I find out something I'll let you know.

Regards.

Alain.

Re: 6500 DHCP ISSUE

John Apricena — Tue, 20 Dec 2011 15:27:33 GMT

Thank You Alain, I will look forward to hearing back from you.

Re: 6500 DHCP ISSUE

John Apricena — Thu, 22 Dec 2011 16:07:57 GMT

Is there anyone that can provide some insight to this? I have tried multiple sequences of access-lists and nothing seems to work. I continue to get the same error in the logs. Thank You in advance!