11-22-2023 01:23 PM - edited 11-22-2023 01:50 PM
I have an IR829 router that I am trying to move from cell internet to Starlink via ethernet adapter. The problem I having is that the router needs to get a DHCP address from Starlink. That works if I don't have ZBFW (zone based firewall) configured on the outside interface, but that defeats the whole point of having the IR829 be a firewall. Here is what the outside interface looks like.
interface GigabitEthernet0
description SFP WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security external
ip tcp adjust-mss 1400
I have tried to mess with access lists, class maps, and etc without success. Here is a snippet of the ZBFW config.
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
permit udp any eq bootpc any eq bootps
permit udp any eq bootps any eq bootpc
permit udp any eq 44 any eq 43
permit udp any eq 43 any eq 44
!
class-map type inspect match-all dhcp
match access-group name dhcp-allow
!
policy-map type inspect external-self-policy
class type inspect external-self-inspect
inspect
class type inspect external-self-inspect-ssh
pass
class type inspect vpn-tunnel-traffic-class
inspect
class type inspect IPSEC
inspect
class type inspect dhcp
pass log
class class-default
drop log
!
policy-map type inspect self-external-policy
class type inspect self-external-inspect
inspect
class type inspect IP-ALL
pass
class type inspect dhcp
pass log
class class-default
drop log
!
zone security internal
zone security external
zone-pair security self-external source self destination external
service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
service-policy type inspect external-self-policy
If the zone is enabled on the outside interface, it times out like this
*Nov 22 14:54:44 EST: DHCP: new entry. add to queue, interface GigabitEthernet0
*Nov 22 14:54:44 EST: DHCP: SDiscover attempt # 1 for entry:
*Nov 22 14:54:44 EST: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0
*Nov 22 14:54:44 EST: Temp sub net mask: 0.0.0.0
*Nov 22 14:54:44 EST: DHCP Lease server: 0.0.0.0, state: 3 Selecting
*Nov 22 14:54:44 EST: DHCP transaction id: C17
*Nov 22 14:54:44 EST: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Nov 22 14:54:44 EST: Next timer fires after: 00:00:04
*Nov 22 14:54:44 EST: Retry count: 1 Client-ID: cisco-4001.7abb.2d07-Gi0
*Nov 22 14:54:44 EST: Client-ID hex dump: 636973636F2D343030312E376162622E
*Nov 22 14:54:44 EST: 326430372D476930
*Nov 22 14:54:44 EST: Hostname: tcfnc
As soon as I apply "no zone-member security external" to the interface, it comes right up. I have been throwing stuff at the wall all day.
Solved! Go to Solution.
11-23-2023 07:00 AM - edited 11-26-2023 03:01 AM
Edit: The bootpc stuff is required. See later note in the thread.
Is appears the bootps is all that is required. I made some changes and rebooted to be certain. Here is what I see in the log.
*Nov 23 09:26:24 EST: %FW-6-PASS_PKT: (target:class)-(external-self:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 58766
*Nov 23 09:28:07 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 66
Nov 23 09:43:14 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 192.168.1.21:68 => 192.168.1.1:67 with ip ident 9027
I haven't deleted the bootpc stuff, but I think I will shortly. Here is most of the relevant configuration.
class-map type inspect match-all bootpc
match protocol bootpc
class-map type inspect match-all bootps
match protocol bootps
!
policy-map type inspect external-self-policy
class type inspect bootpc
pass log
class type inspect bootps
pass log
class type inspect external-self-inspect
inspect
class type inspect vpn-tunnel-traffic-class
inspect
class type inspect IPSEC
inspect
class class-default
drop log
!
policy-map type inspect self-external-policy
class type inspect bootpc
pass log
class type inspect bootps
pass log
class type inspect self-external-inspect
inspect
class type inspect IP-ALL
inspect
class class-default
drop log
!
zone-pair security self-external source self destination external
service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
service-policy type inspect external-self-policy
11-22-2023 01:31 PM
show policy-map type inspect zone-pair zone-pair-name sessions
Can you share output of this after add zone pairs and enable zone in interface
11-22-2023 04:46 PM - last edited on 11-27-2023 01:35 AM by Translator
I don't know if I don't have it matched correctly, but self-external pair isn't matching anything.
Class-map: dhcp (match-all)
Match: access-group name dhcp-allow
Pass
0 packets, 0 bytes
The external-self is matching a few packets.
Class-map: dhcp (match-all)
Match: access-group name dhcp-allow
Pass
2 packets, 628 bytes
11-22-2023 05:17 PM
Instead of match all use match any for dhcp class map
After change share the the show again
11-22-2023 05:48 PM
I figured it out. The problem was the policy map entry for DHCP with "pass" in it was less preferred/lower in the policy than a generic protocol UDP one with "inspect" in it. I rearranged the policy so the DHCP class was the first one, and now it works.
11-22-2023 05:50 PM - edited 11-22-2023 05:52 PM
Happy ends
Have a nice day
Note:- please mark this post as solved
MHM
11-22-2023 06:17 PM
11-23-2023 07:00 AM - edited 11-26-2023 03:01 AM
Edit: The bootpc stuff is required. See later note in the thread.
Is appears the bootps is all that is required. I made some changes and rebooted to be certain. Here is what I see in the log.
*Nov 23 09:26:24 EST: %FW-6-PASS_PKT: (target:class)-(external-self:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 58766
*Nov 23 09:28:07 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 66
Nov 23 09:43:14 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 192.168.1.21:68 => 192.168.1.1:67 with ip ident 9027
I haven't deleted the bootpc stuff, but I think I will shortly. Here is most of the relevant configuration.
class-map type inspect match-all bootpc
match protocol bootpc
class-map type inspect match-all bootps
match protocol bootps
!
policy-map type inspect external-self-policy
class type inspect bootpc
pass log
class type inspect bootps
pass log
class type inspect external-self-inspect
inspect
class type inspect vpn-tunnel-traffic-class
inspect
class type inspect IPSEC
inspect
class class-default
drop log
!
policy-map type inspect self-external-policy
class type inspect bootpc
pass log
class type inspect bootps
pass log
class type inspect self-external-inspect
inspect
class type inspect IP-ALL
inspect
class class-default
drop log
!
zone-pair security self-external source self destination external
service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
service-policy type inspect external-self-policy
11-23-2023 04:26 PM
The bootpc stuff is required. It didn't generate the log file entries I thought it should have, but here is what matched from the firewallpolicy stats.
policy exists on zp self-external
Zone-pair: self-external
Service-policy inspect : self-external-policy
Class-map: bootps (match-all)
Match: protocol bootps
Pass
2 packets, 632 bytes
Class-map: bootpc (match-all)
Match: protocol bootpc
Pass
0 packets, 0 bytes
!
policy exists on zp external-self
Zone-pair: external-self
Service-policy inspect : external-self-policy
Class-map: bootps (match-all)
Match: protocol bootps
Pass
0 packets, 0 bytes
Class-map: bootpc (match-all)
Match: protocol bootpc
Pass
2 packets, 656 bytes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide