07-06-2013 09:36 AM - edited 03-11-2019 07:08 PM
Hi Everyone,
ASA has DMZ interface and it has ACL deny ip any any.
Then it has few ACL that allow http,https,dns, and other traffic from the DMZ to the outside.
Users are getting IP from the DHCP pool which is configured for interface DMZ.
Need to know how users are getting IP on the PC from the DMZ pool even though DHCP request or broadcast is not allowed under ACL?
Config of ASA is attached.
Regards
MAhesh
Solved! Go to Solution.
07-06-2013 09:48 AM
On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
07-06-2013 09:49 AM
Hi Mahesh,
The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.
On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.
- Jouni
07-06-2013 09:48 AM
On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
07-06-2013 09:49 AM
Hi Mahesh,
The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.
On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.
- Jouni
07-07-2013 07:45 AM
Hi Karsten & Jouni,
Thanks for your wonderful explanation.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide