06-25-2007 05:27 AM - edited 03-11-2019 03:34 AM
hi
the ASA running with the transparent mode .our DHCP server is put in the outside ,and our client behind the inside interface.
The problem is the PCs can't get the ip address use the DHCP.
Because DHCP relay services are not available in transparent firewall mode.In order to allow DHCP requests and replies through the ASA in transparent mode ,how should i configure the ACL to permit the DHCP traffic to go through the transparent ASA.
Thanks very much !!
06-25-2007 05:39 AM
Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:
*
One ACL that allows DHCP requests from the inside interface to the outside
and
*
One ACL that allows the replies from the server in the other direction
06-25-2007 05:49 AM
i know that i need to configure two ACLs, but how i configure them?
like:
access-list dhcp permit ip (or udp ??)x.x.x.x host x.x.x.x ?
pls give me an example ,thanks very much!
06-25-2007 06:08 AM
RFC 1531 states "DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)"
..so...you need something like:
access-list inside_acl permit udp any host dhcp_server eq 67
access-list outside_acl permit udp host dhcp_server any eq 68
access-group inside_acl in interface inside
access-group outside_acl in interface outside
06-25-2007 06:16 AM
thanks srue,
i have configured the interface use:
access-list test permit ip any any
access-group test in interface inside
access-group test in interface ouside
i have let all the ip packet (include the udp packet ?) "access-list test permit ip any any" to go throught the ASA. but it don't work . must i define the udp access-list?
thanks!
06-25-2007 06:15 AM
Have you tried this?
access-list acl-outside permit udp {network outside, can be specific to DHCP server} {network inside} eq 67
access-list acl-inside permit udp {network inside} {network outside, can be specific to DHCP server} eq 68
Sorry, sent same as above.
06-25-2007 06:38 AM
tell us more about your network...
are there any other filtering devices between the dhcp server and dhcp clients?
add in the specific dhcp acl entries, then enter the permit ip any any entries for each ACL...
then look at the hitcount to see if the dhcp acl entries are increasing when a dhcp address is requested....
please note, something else besides the firewall needs to forward the dhcp requests to the dhcp server's specific IP address...in a router, this would be an 'ip helper-address'...
are the client PC's connected to a switch which is connected to the firewall? if so, is it a layer two switch or multilayer switch?
07-06-2021 02:49 AM
HI Srue,
This http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml link is unreachable.
Do you have any document for reference?
Nicholas
09-21-2007 03:13 AM
Hi
This worked for me
access-list traffic_inbound extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
Cheers
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide