Showing results for 
Search instead for 
Did you mean: 


ASA5505 Port 68 issue - cannot block it on the wan/outside interface - V 8.4.7


I setup my ASA5505 to get the public IP address from the outside/wan ( my cable provider via DHCP) interface 0/0 on vlan 90 and the inside interface gives dhcp addresses to my local lan. I have denied all the traffic on the outside interface coming in and allowed domain/http/https from the inside to anywhere.


I ran the packet tracer and I noticed that if the traffic comes from any ip on the outside targeting UDP port 68 or 67  (broadcast traffic) is allowed and I see the packets being built even tho my outside ACL is deny any any - not sure how to resolve the issue as I gave up on all the solutions :/

interface Ethernet0/0

*outside facing the internet*
 switchport access vlan 90
interface Ethernet0/1

 switchport access vlan 50

interface Vlan50
 nameif inside
 security-level 100
 ip address
interface Vlan90
 description OUTSIDE to Internet
 nameif outside
 security-level 0
 ip address dhcp setroute


dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp

service-policy global_policy global

packet-tracer input outside udp 1234 68 detailed


Phase: 1
Subtype: l2-selective
Result: ALLOW
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca2a13a0, priority=13, domain=punt, deny=false
        hits=3, user_data=0xca2a1430, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Result: ALLOW
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca2830b0, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

input-interface: outside
input-status: up
input-line-status: up
Action: allow


This should not be allowed as I have a deny any any on the outside interface


Jouni Forss



Can you show the actual "access-list" and "access-group" configurations?


show run access-list


show run access-group


My own ASA 5505 running 8.4(5) blocks the above mentioned "packet-tracer" output. I wonder if its in any way related to the WAN interface being set as a DHCP Client? Though if I am not wrong the port UDP/68 should only be destination port for connections to the DHCP server.


Have you tried to make a separate ACL and attach it to the WAN interface as a "control-plane" ACL that blocks/permits traffic to the actual ASA interface?

You attach it to the interface with the command


access-group <acl name> in interface <interface name> control-plane


You can naturally have a normal interface ACL that controls traffic "through the box" and a "control-plane" ACL that controls traffic "to the box".


- Jouni



I have tried to put the control plane acl but without any luck, this is driving me crazy as I feel someone can run a dhcp attack and my firewall will build those msgs, I don't even see the hits when I run the packet tracer on the new ACL, here is my config:


If I remove the ip address dhcp setroute then everything is normal, not sure if its even possible to block this type of traffic


object network INSIDE-NETWORKS
object-group service MY-PORTS
 service-object tcp-udp destination eq domain
 service-object tcp destination eq www
 service-object tcp destination eq https


access-list inside_acl extended permit object-group MY-PORTS object INSIDE-NETWORKS any
access-list inside_acl extended permit ip object INSIDE-NETWORKS object INSIDE-NETWORKS
access-list outside_acl extended deny ip any any

**new control plane acl**

access-list cpl-acl; 1 elements; name hash: 0xe068185
access-list cpl-acl line 1 extended deny udp any any log informational interval 300 (hitcnt=0) 0xcfe2e0a1


access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group cpl-acl in interface outside control-plane




Rising star


I believe this is because of the ip address dhcp enabled on the outside interface. I do not get such packet-tracer output in a statically assigned environment. But if you apply the ACL to the control-plane it is applicable to the box which might affect the dhcp assignment to your Outside interface.

UDP port number 67 is the destination port of a server & UDP port number 68 is used by the client.




Yes I tested on another ASA that has a static IP and the traffic is dropped - I don't like the fact that those broadcast messages are being built even tho I am blocking everything, hence someone could use my ip as a target for dhcp attacks if they spoof their source

Recognize Your Peers
Content for Community-Ad