03-28-2014 02:33 PM - edited 03-11-2019 09:00 PM
Hi. I have an ASA 5505 configured for Transparent Mode. The Outside interface connects to a router (RV042). The router manages DHCP. With the 5505 in the system, all computers can connect to the internet and to each other, except for a few. The problem computers can be made to work if they are set to a specific address, rather than automatically assigned by the router. Some of the iPads work correctly, some do not. At least one Apple Notebook cannot connect even if I enter a static address.
Consulting the documentation, I found that DHCP traffic (UPD Port 67 and 68) needed to be enabled via rules for the Inside and Outside interfaces. I did that in ASDM but now nothing works.
I have pulled the 5505 out of the system and restored it to the configuration that worked for most of the computers.
Any suggestions would be appreciated. I can pull a "show" run from CLI if it is useful.
Thanks...
03-29-2014 07:27 PM
hi jerry,
could you post a show run?
you'll need an inbound and outbound ACL for DHCP to work:
outside_in extended permit udp host <DHCP SVR IP> any eq bootpc
inside_out extended permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
inside_out extended permit udp any <DHCP SVR IP> eq bootps
access-group outside_in in interface outside
access-group inside_out out interface inside
03-30-2014 05:49 PM
Hello,
So adding the John,
The actual ACLs u will need are
outside_in extended permit udp host <DHCP SVR IP> any eq 68
Any other service you need from out to in will need to be permited here
inside_out extended permit udp host 0.0.0.0 host 255.255.255.255 eq 67
inside_out extended permit ip any any (Otherwise all internal traffic going to the outside world will be denied)
If u dont add that u might end breaking everything as you said
access-group outside_in in interface outside
access-group inside_out out interface inside
Regards,
03-30-2014 07:42 PM
03-30-2014 07:55 PM
As I said before with that ACL you are closing all other traffic from inside to outside, Quite sure that will get you in problems if this is a production box.
Now, for the ACL the lines I sent are the ones needed
Are you sure the traffic actually commes from Inside to outside and not backwards??
If the answer is yes, then do a capture on both interfaces matching only DHCP Packets
Regards
Jcarvaja
03-31-2014 08:16 AM
Understood. I tried adding the "inside_out extended permit ip any any" command, but it made no difference. Because the implicit rule (permit ip traffic to any less secure interface) is still in the access list table, it would seem the additional extended rule is not needed.
When I first received the 5505, it had an older version of firmware. At the time, when I entered any rule in ASDM it deleted the "less secure" implicit rule, which then broke the system since there was no path for internet traffic from inside to outside, as you have stated. With the newest firmware release, however, when I enter a rule, the "less secure" implicit rule does not go away.
So, with help from the folks here I have made progress. Right now the issue is that when the 5505 in Transparent Mode is between the router and user computers, the computers cannot reliably get addresses that are auto-assigned by the router.
Looking through the logs displayed on ASDM, I noticed the following curious statement:
"6 Mar 31 2014 07:16:42 fe80::1131:41c2:3627:8339 63575 ff02::1:3 5355 No management IP address configured for transparent firewall. Dropping protocol UDP packet from outside:fe80::1131:41c2:3627:8339/63575 to inside:ff02::1:3/5355"
However, I have configured a management IP address, and it is listed in the "show" document that I posted yesterday:
!
interface BVI1
ip address 192.168.1.10 255.255.255.0
!
So, I am confused.
I appreciate the help. I am new to the 5505, although I participated as a "friendly" in the ASA program some years ago. I recall a similar problem with that setup. Regrettably, I can't remember how we fixed it...
Regards...
04-01-2014 07:34 AM
The issue you are having is because of how DHCP sends requests. It sends requests to the address of 0.0.0.0 255.255.255.255. Now I don't know why the security levels do not apply to the DHCP request, but for some reason it doesn't. this means you need an access list applied to the inside interface in the inbound direction. this ACL needs to have a source of any with a destination of the router. Now keep in mind that the inside hosts should be able so access the internet so if I were you I would consider putting a permit IP any any on the inside interface and then if required, place deny statements above the permit. You do not need the outbound ACL on the inside interface to remove that. Your ACL statements should look something like this (I am assuming the DHCP range is 192.168.1.0/24:
access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 67
access-list OUT-TO-IN permit udp host <router-IP> 192.168.1.0 255.255.255.0 eq 68
access-list IN-TO-OUT permit ip any any
access-group IN-TO-OUT in interface inside
access-group OUT-TO-IN in interface outside
--
Please remember to rate and select a correct answer
04-08-2014 01:27 PM
Regarding: access-list IN-TO-OUT permit ip any any
I'm struggling with this problem myself right now. There is something about this ACL that seems a little off to me. It works, yes. In fact, I got it to work without even doing the OUT-TO-IN ACL. The thing I am uncomfortable with is an ACL that permits ABSOLUTELY EVERYTHING! Doesn't this circumvent the other security policies I have configured on my ASA?
04-09-2014 05:08 AM
Well, if you think about it, lets say we remove that any any ACL and just let the security levels do their work (which for some reason doesn't work on the DHCP packets) you are still allowing everything from a higher security level to a lower security level...so in essence a permit any any statement from the inside network to the outside. The other security policies are not affected...but then again from your configuration you posted, you don't have much configured on there.
It is a very common practice to permit everything from the inside network out, as it is "supposed" to be a secure network. However, if you are uncomfortable doing this you can always tighten the security a bit by only allowing traffic with a source address of 192.168.1.0/24. So your ACLs would look something like this:
access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 67
access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 68
access-list IN-TO-OUT permit ip 192.168.1.0 255.255.255.0 any
This will allow the initial DHCP packets through then limit any further traffic to the internet or otherwise to having a source address within the 192.168.1.0/24 subnet.
--
Please remember to rate and select a correct answer
04-10-2014 05:55 AM
Makes complete sense. Thank you for your quick and detailed response.
04-10-2014 08:47 AM
Any time , Let us know if you need further help
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide