cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1858
Views
5
Helpful
3
Replies
Beginner

No dhcp through Zone-based Firewall

Hello!

I have a 2801 that I am using ZBFW on and having issue getting DHCP. My policies are very simple, inspect from insidezone to outside and inspect on ports from outside to insidezone (for my port forwards). With no self zone policies in place I can get dhcp and everything works no problem. I am wondering if there is a way to implement some policies drop inbound connections (stealth mode) without also blocking my dhcp.

Here are the security commands i am entering which enable traffic drops but also block my dhcp-

class-map type inspect match-any class-icmp-1

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any class-dhcp

match protocol bootpc

policy-map type inspect pol-icmpreply

class type inspect class-icmp-1

  inspect

class type inspect class-dhcp

  pass

class class-default

  drop

policy-map type inspect pol-permit

class class-default

  pass

zone-pair security self-OUT source self destination OutsideZone

service-policy type inspect pol-icmpreply

zone-pair security OUT-self source OutsideZone destination self

service-policy type inspect pol-permit

I have assigned my outside interface with the OutsideZone as well. The are the only commands I enter that seem to cause my problem. I feel like I am just missing something. I went over all the zone-based firewall guides on the cisco site that I could find but I am sadly lost.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

No dhcp through Zone-based Firewall

Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.

Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

No dhcp through Zone-based Firewall

Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.

Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

View solution in original post

Highlighted
Beginner

No dhcp through Zone-based Firewall

Thank you Jennifer, I will try this out when I get home. I am just somewhat confused, I can see adding the rule from outside -> self, but wouldnt the udp inspect from self -> outside cover the outgoing?

Highlighted
Beginner

Re: No dhcp through Zone-based Firewall

I think I got it worked out by making some changes. I put the pass class-map for dhcp first and then put the inspect class-map in place. Still not sure why it wouldn't work with inspect udp, but I am happy enough to have it working.

policy-map type inspect pol-icmpreply

class type inspect class-dhcp

pass

class type inspect class-icmp-1

inspect

class class-default

drop