04-08-2014 01:08 PM - edited 03-11-2019 09:03 PM
I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside. I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67. That actually works and the inside device gets an IP address. The problem is that no other outbound traffic is allowed from the inside device. The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic. DHCP is now the ONLY thing allowed out. What am I doing wrong here?
04-09-2014 08:59 AM
In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in. It would just work, but you would have very little control of packet flows, static NAT, or logging.
Once you start applying ACL's to interfaces, you have to explicitly allow everything you want. All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:
access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0
access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log
access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log
access-list DMZ-INGRESS extended permit ip any any
Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any". I won't include the object groups unless someone asks.
-- Jim Leinweber, WI State Lab of Hygiene
04-10-2014 01:59 AM
I saw you posted on one of the other question I was answering on a similar issue, As Jim has mentioned you would also need to permit traffic for the host after it has recieved an IP. So if your DHCP leased subnet is 192.168.1.0/24, the ACL you would have applied to the inside interface in the inbound direction would be like this:
access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 67
access-list IN-TO-OUT permit udp host 0.0.0.0 host 255.255.255.255 eq 68
access-list IN-TO-OUT permit ip 192.168.1.0 255.255.255.0 any
access-group IN-TO-OUT in interface inside
Depending on your security policies you can either use permit IP any any or specify the source subnet to be allowed access out.
--
Pease remember to rate and select a correct answer
04-21-2014 06:07 AM
Something is still not right here. In order to get this to work, I had to put an ACL on the outside interface to let the DHCP offer and ack messages back in, along with any other response traffic. I think it has to be a permit ip any any. This can't be right. It completely bypasses all of the stateful inspection. I might as well not have a firewall if I'm going to do that. It seems like the only good solution here is to move the DHCP server to the inside.
04-29-2014 02:52 AM
Hi,
sorry for late reply as I have been away for a few weeks now.
You do not require a permit IP any any on the outside interface but, you might need an ACL permitting the router IP to send DHCP return traffic to destination 0.0.0.0.
--
Pease remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide