11-16-2010 01:06 PM - edited 03-04-2019 10:29 AM
I'm configuring a Cisco 877 router as my firewall. It's an adsl router, but I'm actually going to use it for my cable internet.
Here are the details:
1. My WAN IP will be assigned dynamically with DHCP. I will also get my default route from DHCP.
2. I will need to configure ip inspection and packet filtering.
3. I will need to configure NAT
4. I will eventually need to also configure a dial-up VPN.
(LAN) --- VLAN 1 ------(ROUTER)------- VLAN 102 ------ (internet)
I configured VLAN 102 as the outside network and assigned FA 0 to it. I configured VLAN 1 as the inside network and assigned the rest of the ports to it. I configured "ip nat outside" on VLAN 102. I configured "IP nat inside" on VLAN 1. I configured nat with "ip nat inside source list 1 int vlan 102 overload". I configured VLAN 102 to get it's ip address from DHCP. I configured a default route using "ip route 0.0.0.0 0.0.0.0 dhcp".
So far, it's working. The next step is to configure the ip inspect firewall. The problem i'm running into right now is that when i place an acl on vlan 102 inbound, it prevents vlan 102 from getting an IP address from dhcp.
What is the best way to allow the dhcp offer to come in? Since vlan 102 doesn't have an IP address yet, I don't know how to craft the acl entry. I also don't want to compromise the LAN by allowing dhcp offers to hit all the hosts on the inside.
Thanks in advanced,
Vince
11-17-2010 10:56 AM
Hi,
You can add two lines to current ACL on vlan 102 to allow DHCP traffic.
permit udp any any eq bootpc permit udp any any eq bootps
KK
11-17-2010 12:22 PM
Thanks, I did that and it seems to work fine. I was just worried that I'd be inadvertantly allowing all dhcp messages into my network.
11-17-2010 04:40 PM
The fact that my WAN IP is assigned dynamically is really messing it up form.
I'm having a hard time configuring the acl on the outside interface to allow incoming dial-up vpn connections. The problem is that, like the dhcp problem, I don't know what the WAN IP address is so I can't create an acl entry for it.
11-17-2010 04:48 PM
nevermind... duh.. I'll just deny all packets destined for my internal network.
04-17-2011 04:20 PM
Hi Vincent. I'm trying to do the same with the 887W. I'm quite new to this. Would you mind posting your final script? That would be very helpful.
04-18-2011 06:28 AM
04-19-2011 09:41 PM
thanks! the 887w is slightly different so i'll let you know how it goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide