- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2013 05:37 PM - edited 03-11-2019 06:00 PM
Hello!
I have a 2801 that I am using ZBFW on and having issue getting DHCP. My policies are very simple, inspect from insidezone to outside and inspect on ports from outside to insidezone (for my port forwards). With no self zone policies in place I can get dhcp and everything works no problem. I am wondering if there is a way to implement some policies drop inbound connections (stealth mode) without also blocking my dhcp.
Here are the security commands i am entering which enable traffic drops but also block my dhcp-
class-map type inspect match-any class-icmp-1
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-dhcp
match protocol bootpc
policy-map type inspect pol-icmpreply
class type inspect class-icmp-1
inspect
class type inspect class-dhcp
pass
class class-default
drop
policy-map type inspect pol-permit
class class-default
pass
zone-pair security self-OUT source self destination OutsideZone
service-policy type inspect pol-icmpreply
zone-pair security OUT-self source OutsideZone destination self
service-policy type inspect pol-permit
I have assigned my outside interface with the OutsideZone as well. The are the only commands I enter that seem to cause my problem. I feel like I am just missing something. I went over all the zone-based firewall guides on the cisco site that I could find but I am sadly lost.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 06:27 AM
Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.
Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 06:27 AM
Try to configure UDP/67 for OutsideZone to Self zone, and UDP/68 for Self zone to OutsideZone.
Because DHCP requests are on UDP/68 and DHCP server replies with UDP/67.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 07:00 AM
Thank you Jennifer, I will try this out when I get home. I am just somewhat confused, I can see adding the rule from outside -> self, but wouldnt the udp inspect from self -> outside cover the outgoing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 10:37 AM
I think I got it worked out by making some changes. I put the pass class-map for dhcp first and then put the inspect class-map in place. Still not sure why it wouldn't work with inspect udp, but I am happy enough to have it working.
policy-map type inspect pol-icmpreply
class type inspect class-dhcp
pass
class type inspect class-icmp-1
inspect
class class-default
drop
