Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
5
Helpful
3
Replies

No dhcp through Zone-based Firewall

Go to solution
robertcater3
Level 1
Level 1

‎02-13-2013 05:37 PM - edited ‎03-11-2019 06:00 PM

Hello!

I have a 2801 that I am using ZBFW on and having issue getting DHCP. My policies are very simple, inspect from insidezone to outside and inspect on ports from outside to insidezone (for my port forwards). With no self zone policies in place I can get dhcp and everything works no problem. I am wondering if there is a way to implement some policies drop inbound connections (stealth mode) without also blocking my dhcp.

Here are the security commands i am entering which enable traffic drops but also block my dhcp-

class-map type inspect match-any class-icmp-1

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any class-dhcp

match protocol bootpc

policy-map type inspect pol-icmpreply

class type inspect class-icmp-1

  inspect

class type inspect class-dhcp

  pass

class class-default

  drop

policy-map type inspect pol-permit

class class-default

  pass

zone-pair security self-OUT source self destination OutsideZone

service-policy type inspect pol-icmpreply

zone-pair security OUT-self source OutsideZone destination self

service-policy type inspect pol-permit

I have assigned my outside interface with the OutsideZone as well. The are the only commands I enter that seem to cause my problem. I feel like I am just missing something. I went over all the zone-based firewall guides on the cisco site that I could find but I am sadly lost.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-14-2013 06:27 AM

Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.

Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

View solution in original post

3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-14-2013 06:27 AM

Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.

Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

Go to solution
robertcater3
Level 1
Level 1
In response to Jennifer Halim

‎02-14-2013 07:00 AM

Thank you Jennifer, I will try this out when I get home. I am just somewhat confused, I can see adding the rule from outside -> self, but wouldnt the udp inspect from self -> outside cover the outgoing?

0 Helpful

Go to solution
robertcater3
Level 1
Level 1
In response to robertcater3

‎02-14-2013 10:37 AM

I think I got it worked out by making some changes. I put the pass class-map for dhcp first and then put the inspect class-map in place. Still not sure why it wouldn't work with inspect udp, but I am happy enough to have it working.

policy-map type inspect pol-icmpreply

class type inspect class-dhcp

pass

class type inspect class-icmp-1

inspect

class class-default

drop

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card