Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2374
Views
5
Helpful
7
Replies

Configure 877W router as firewall with DHCP assigned WAN IP

vincehgov
Level 1
Level 1

‎11-16-2010 01:06 PM - edited ‎03-04-2019 10:29 AM

I'm configuring a Cisco 877 router as my firewall.  It's an adsl router, but I'm actually going to use it for my cable internet.

Here are the details:

1. My WAN IP will be assigned dynamically with DHCP.  I will also get my default route from DHCP.

2. I will need to configure ip inspection and packet filtering.

3. I will need to configure NAT

4. I will eventually need to also configure a dial-up VPN.

(LAN) --- VLAN 1 ------(ROUTER)------- VLAN 102 ------ (internet)


I configured VLAN 102 as the outside network and assigned FA 0 to it.  I configured VLAN 1 as the inside network and assigned the rest of the ports to it.  I configured "ip nat outside" on VLAN 102.  I configured "IP nat inside" on VLAN 1.  I configured nat with "ip nat inside source list 1 int vlan 102 overload".  I configured VLAN 102 to get it's ip address from DHCP.  I configured a default route using "ip route 0.0.0.0 0.0.0.0 dhcp".

So far, it's working.  The next step is to configure the ip inspect firewall.  The problem i'm running into right now is that when i place an acl on vlan 102 inbound, it prevents vlan 102 from getting an IP address from dhcp.

What is the best way to allow the dhcp offer to come in?  Since vlan 102 doesn't have an IP address yet, I don't know how to craft the acl entry.  I also don't want to compromise the LAN by allowing dhcp offers to hit all the hosts on the inside.

Thanks in advanced,

Vince

Labels:
0 Helpful
7 Replies 7

kyukim
Cisco Employee
Cisco Employee

‎11-17-2010 10:56 AM

Hi,

You can add two lines to current ACL on  vlan 102 to allow DHCP traffic.

permit udp any any eq bootpc
permit udp any any eq bootps

KK

0 Helpful

vincehgov
Level 1
Level 1
In response to kyukim

‎11-17-2010 12:22 PM

Thanks, I did that and it seems to work fine.  I was just worried that I'd be inadvertantly allowing all dhcp messages into my network.

0 Helpful

vincehgov
Level 1
Level 1

‎11-17-2010 04:40 PM

The fact that my WAN IP is assigned dynamically is really messing it up form.

I'm having a hard time configuring the acl on the outside interface to allow incoming dial-up vpn connections.  The problem is that, like the dhcp problem, I don't know what the WAN IP address is so I can't create an acl entry for it.

0 Helpful

vincehgov
Level 1
Level 1
In response to vincehgov

‎11-17-2010 04:48 PM

nevermind... duh.. I'll just deny all packets destined for my internal network.

0 Helpful

martinaire
Level 1
Level 1

‎04-17-2011 04:20 PM

Hi Vincent. I'm trying to do the same with the 887W. I'm quite new to this. Would you mind posting your final script? That would be very helpful.

0 Helpful

vincehgov
Level 1
Level 1
In response to martinaire

‎04-18-2011 06:28 AM

here ya go

85043-routerconfig.txt.zip

martinaire
Level 1
Level 1
In response to vincehgov

‎04-19-2011 09:41 PM

thanks! the 887w is slightly different so i'll let you know how it goes.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card