Solved: Router connected to cable modem by Ethernet port cannot get IP address from DHCP.

mattchan777 · ‎11-16-2012

I have an ethernet cable on Fa0/0 connecting my 1841 router to my cable modem. The issue is that the router cannot obtain an IP address via DHCP when I have the "ACL-OUTSIDE-IN" ACL applied inbound on the Fa0/0 interface. I tried to allow all BOOTP and BOOTPS traffic in my ACL, but still no luck. I really don't want to run the router without a simple ACL firewall and connect it to the internet. When I take off the ACL off of Fa0/0, the router is able to get an IP address via DHCP.

Router#sh run

Building configuration...

Current configuration : 10736 bytes

!

! Last configuration change at 18:14:42 MST Fri Nov 16 2012 by matt.chan

!

version 12.4

service nagle

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec localtime show-timezone year

service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:c1841-advipservicesk9-mz.124-25f.bin

boot-end-marker

!

logging count

logging userinfo

logging buffered 1048576 informational

enable secret 5 <removed>

!

aaa new-model

!

aaa authentication login AUTH-LOCAL local-case

!

aaa session-id unique

memory-size iomem 25

clock timezone MST -7

ip cef

!

ip nbar pdlm flash:directconnect.pdlm

ip nbar pdlm flash:citrix.pdlm

ip nbar pdlm flash:bittorrent.pdlm

!

ip nbar custom steam destination udp range 27000 27030

ip nbar custom rdp destination tcp range 3389 3391 55402

!

ip domain lookup source-interface FastEthernet0/0

ip name-server 8.8.8.8

ip inspect name fa0/0_inspect_ou icmp router-traffic timeout 10

ip inspect name fa0/0_inspect_ou ftp timeout 300

ip inspect name fa0/0_inspect_ou udp router-traffic timeout 120

ip inspect name fa0/0_inspect_ou tcp router-traffic timeout 300

!

login block-for 60 attempts 4 within 60

login quiet-mode access-class ACL-ACCESS-QUIET

!

password encryption aes

!

crypto pki trustpoint TP-self-signed-1755372391

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1755372391

revocation-check none

rsakeypair TP-self-signed-1755372391

!

crypto pki certificate chain TP-self-signed-1755372391

certificate self-signed 01

3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31373535 33373233 3931301E 170D3132 31313137 30313130

35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37353533

37323339 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D53F 9EB5B123 3103A4D5 82E786F7 F91C2DE5 9E409A22 80AF78F6 812F624A

89FE9103 73C4AAAB 13FF880D F628607D 6888AC49 18BEDD77 778F0DB1 F9A796E9

E92717CD 6DD19450 5066620A 91278C33 E38349EA 92B8C671 80761609 0AC46E6F

2C8C6BCF ABC7E1F7 A64BD28C C85477FE B23F8A7C 555ECDF9 CE461B8D 6C017370

0ED70203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

551D1104 0B300982 074E5543 4C455553 301F0603 551D2304 18301680 146CA2E0

936C651F E2ED4DCD D7025FF3 2AB029E0 95301D06 03551D0E 04160414 6CA2E093

6C651FE2 ED4DCDD7 025FF32A B029E095 300D0609 2A864886 F70D0101 04050003

8181004A AFA4D07C 1424DE0E EF3F17F2 BB1EA63B CB17C13D 1AEA31A1 BAB6AF77

DB6EA8A2 2117DCD1 5530A18C 3618D568 CC7EF520 E039ACBD DA906352 BB7E51BD

0954490C B2AB30C2 FBBE4738 C214BE1C CB63FFEA BAFC46E0 3DC419EE 714B9ABD

144A21E3 3E54C103 FF47FAF1 412FE5C4 59ACD1FE FD72356B C8DC04C3 E2EDF275 45954C

quit

username <removed secret 5 <removed>

!

ip ssh maxstartups 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh port 2226 rotary 1

ip ssh version 2

!

class-map match-all Zuri-YouTube-Class

match access-group name NAT-Pool-Zuri-WLAN

match protocol http host "*youtube.com*"

!

policy-map PMAP-QOS-VTI-IN

description QOS FOR TU0

class class-default

shape peak 1512000

policy-map PMAP-QOS-VTI-OUT

description QOS FOR TU0

class class-default

shape peak 512000

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 43200

crypto isakmp key 6 <removed> address <removed>

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 5 periodic

!

crypto ipsec transform-set EDGE-TS ah-sha-hmac esp-aes 256

!

crypto ipsec profile EDGE

set security-association lifetime kilobytes 256000

set transform-set EDGE-TS

set pfs group5

!

interface Loopback0

no ip address

!

interface Tunnel0

description "VTI Link"

bandwidth 4000

ip address 172.20.0.2 255.255.255.0

ip mtu 1400

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1360

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 7 12090011003E5A0C0F186E752220211B4A

keepalive 10 5

tunnel source FastEthernet0/0

tunnel destination <removed>

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile EDGE

service-policy output PMAP-QOS-VTI-OUT

hold-queue 75 out

!

interface FastEthernet0/0

description "Link to ISP"

bandwidth 4000

ip address dhcp

ip access-group ACL-OUTSIDE-IN in

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect fa0/0_inspect_ou out

ip virtual-reassembly

ip ospf cost 1

duplex auto

speed auto

no keepalive

no cdp enable

!

interface FastEthernet0/1

description "Link to LAN"

ip address 172.16.0.1 255.255.255.248

ip access-group ACL-INSIDE-IN in

no ip proxy-arp

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip ospf cost 1

ip ospf priority 255

duplex auto

speed auto

no keepalive

!

router ospf 1

log-adjacency-changes

redistribute static subnets

passive-interface default

no passive-interface Tunnel0

network 172.20.0.0 0.0.0.3 area 0

!

ip forward-protocol nd

ip route 10.0.0.0 255.0.0.0 Null0 name "Class A Private"

ip route 172.16.0.0 255.240.0.0 Null0 name "Class B Private"

ip route 172.17.0.0 255.255.0.0 FastEthernet0/1 172.16.0.2 name "Home WLAN"

ip route 172.19.73.31 255.255.255.255 Null0

ip route 172.27.0.0 255.255.0.0 Tunnel0 172.20.0.1 name "IPsec GRE Tunnel"

ip route 192.168.0.0 255.255.0.0 Null0 name "Class C Private"

ip route 192.168.0.0 255.255.255.0 Tunnel0 172.20.0.1 name "VLAN 70"

ip route 192.168.100.1 255.255.255.255 FastEthernet0/0 70.162.0.1 permanent name "CABLE MODEM MANAGEMENT"

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 253

!

ip dns server

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation tcp-timeout 300

ip nat translation udp-timeout 120

ip nat translation max-entries 2048

ip nat inside source list ACL-NAT-172.16.0.0/29 interface FastEthernet0/0 overload

ip nat inside source list ACL-NAT-MANAGEMENT interface FastEthernet0/0 overload

ip nat inside source static tcp 172.16.0.4 22 interface FastEthernet0/0 2227

ip nat inside source static tcp 172.16.0.5 3389 interface FastEthernet0/0 3391

ip nat inside source static tcp 172.16.0.3 3389 interface FastEthernet0/0 3390

ip nat inside source static tcp 172.16.0.4 80 interface FastEthernet0/0 8084

!

ip access-list standard ACL-ACCESS-QUIET

permit 216.161.180.16

permit 172.16.0.0 0.1.255.255

permit 172.27.0.0 0.0.127.255

permit 172.20.0.0 0.0.0.3

ip access-list standard ACL-NAT-172.16.0.0/29

permit 172.16.0.0 0.0.0.7

ip access-list standard ACL-NAT-172.17.0.0/24

permit 172.17.0.0 0.0.0.255

ip access-list standard ACL-NAT-172.17.1.0/24

permit 172.17.1.0 0.0.0.255

ip access-list standard ACL-SNMP

permit 172.16.0.4

!

ip access-list extended ACL-CRY-MAP

ip access-list extended ACL-INSIDE-IN

deny ip host 172.16.0.2 172.27.0.0 0.0.127.255

deny ip host 172.16.0.2 172.20.0.0 0.0.0.3

permit ip 172.17.0.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.0.7 any

permit ip 172.17.1.0 0.0.0.255 any

ip access-list extended ACL-NAT-MANAGEMENT

permit tcp host 172.27.10.11 eq 3389 host 72.166.77.196

ip access-list extended ACL-OUTSIDE-IN

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

permit tcp any any range 3390 3391

permit udp any any eq bootpc

permit udp any any eq bootps

permit tcp any any range 2226 2228

permit tcp any any range 8081 8084

permit icmp any any echo

permit icmp any any net-unreachable

permit icmp any any host-unreachable

permit icmp any any port-unreachable

permit icmp any any parameter-problem

permit icmp any any packet-too-big

permit icmp any any administratively-prohibited

permit icmp any any source-quench

permit icmp any any ttl-exceeded

deny icmp any any

deny ip any any

!

ip access-list log-update threshold 10

logging history informational

logging trap debugging

logging 172.17.228.17

logging 172.17.228.10

!

control-plane

!

line con 0

exec-timeout 15 0

privilege level 15

logging synchronous

login authentication AUTH-LOCAL

line aux 0

login authentication AUTH-LOCAL

line vty 0 4

exec-timeout 60 0

privilege level 15

logging synchronous

login authentication AUTH-LOCAL

rotary 1

transport input ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178311

ntp source FastEthernet0/0

ntp server 148.167.132.201

end

kcnajaf · ‎11-16-2012

Hi Matt,

Try adding below line

ip access-list extended ACL-OUTSIDE-IN

permit udp any eq bootpc any eq bootps

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

kcnajaf · ‎11-16-2012

Hi Matt,

Try adding below line

ip access-list extended ACL-OUTSIDE-IN

permit udp any eq bootpc any eq bootps

Regards

Najaf

Please rate when applicable or helpful !!!

mattchan777 · ‎11-20-2012

Thanks! That was it! Apparently the DHCP server had an IP address in the 10.x.x.x subnet.

paolo bevilacqua · ‎11-17-2012

You have NAT, no ACL is needed at all.

If you don;t believe me, try with an exyternal port scanner.

Another useless command ins 'ip inspect', that will only slow the router down.

You should also reset default for many setting, eg 'keepalive', 'ospf' on internet interface, etc.