Solved: Re: IR829 - ZBFW and DHCP WAN failing

Elliot Dierksen · ‎11-22-2023

I have an IR829 router that I am trying to move from cell internet to Starlink via ethernet adapter. The problem I having is that the router needs to get a DHCP address from Starlink. That works if I don't have ZBFW (zone based firewall) configured on the outside interface, but that defeats the whole point of having the IR829 be a firewall. Here is what the outside interface looks like.

interface GigabitEthernet0
 description SFP WAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security external
 ip tcp adjust-mss 1400

I have tried to mess with access lists, class maps, and etc without success. Here is a snippet of the ZBFW config.

ip access-list extended dhcp-allow
 permit udp any eq bootps any
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit udp any eq bootpc any
 permit udp any eq bootpc any eq bootps
 permit udp any eq bootps any eq bootpc
 permit udp any eq 44 any eq 43
 permit udp any eq 43 any eq 44
!
class-map type inspect match-all dhcp
 match access-group name dhcp-allow
!
policy-map type inspect external-self-policy
 class type inspect external-self-inspect
  inspect
 class type inspect external-self-inspect-ssh
  pass
 class type inspect vpn-tunnel-traffic-class
  inspect
 class type inspect IPSEC
  inspect
 class type inspect dhcp
  pass log
 class class-default
  drop log
!
policy-map type inspect self-external-policy
 class type inspect self-external-inspect
  inspect
 class type inspect IP-ALL
  pass
 class type inspect dhcp
  pass log
 class class-default
  drop log
!
zone security internal
zone security external
zone-pair security self-external source self destination external
 service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
 service-policy type inspect external-self-policy

If the zone is enabled on the outside interface, it times out like this

*Nov 22 14:54:44 EST: DHCP: new entry. add to queue, interface GigabitEthernet0
*Nov 22 14:54:44 EST: DHCP: SDiscover attempt # 1 for entry:
*Nov 22 14:54:44 EST: Temp IP addr: 0.0.0.0  for peer on Interface: GigabitEthernet0
*Nov 22 14:54:44 EST: Temp  sub net mask: 0.0.0.0
*Nov 22 14:54:44 EST:    DHCP Lease server: 0.0.0.0, state: 3 Selecting
*Nov 22 14:54:44 EST:    DHCP transaction id: C17
*Nov 22 14:54:44 EST:    Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secs
*Nov 22 14:54:44 EST:    Next timer fires after: 00:00:04
*Nov 22 14:54:44 EST:    Retry count: 1   Client-ID: cisco-4001.7abb.2d07-Gi0
*Nov 22 14:54:44 EST:    Client-ID hex dump: 636973636F2D343030312E376162622E
*Nov 22 14:54:44 EST:                        326430372D476930
*Nov 22 14:54:44 EST:    Hostname: tcfnc

As soon as I apply "no zone-member security external" to the interface, it comes right up. I have been throwing stuff at the wall all day.

Elliot Dierksen · ‎11-23-2023

Edit: The bootpc stuff is required. See later note in the thread.

Is appears the bootps is all that is required. I made some changes and rebooted to be certain. Here is what I see in the log.

*Nov 23 09:26:24 EST: %FW-6-PASS_PKT: (target:class)-(external-self:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 58766
*Nov 23 09:28:07 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 66
Nov 23 09:43:14 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 192.168.1.21:68 => 192.168.1.1:67 with ip ident 9027

I haven't deleted the bootpc stuff, but I think I will shortly. Here is most of the relevant configuration.

class-map type inspect match-all bootpc
 match protocol bootpc
class-map type inspect match-all bootps
 match protocol bootps
!
policy-map type inspect external-self-policy
 class type inspect bootpc
  pass log
 class type inspect bootps
  pass log
 class type inspect external-self-inspect
  inspect
 class type inspect vpn-tunnel-traffic-class
  inspect
 class type inspect IPSEC
  inspect
 class class-default
  drop log
!
policy-map type inspect self-external-policy
 class type inspect bootpc
  pass log
 class type inspect bootps
  pass log
 class type inspect self-external-inspect
  inspect
 class type inspect IP-ALL
  inspect
 class class-default
  drop log
!
zone-pair security self-external source self destination external
 service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
 service-policy type inspect external-self-policy

View solution in original post

MHM Cisco World · ‎11-22-2023

show policy-map type inspect zone-pair zone-pair-name sessions

Can you share output of this after add zone pairs and enable zone in interface

Elliot Dierksen · ‎11-22-2023

I don't know if I don't have it matched correctly, but self-external pair isn't matching anything.

Class-map: dhcp (match-all)
Match: access-group name dhcp-allow
Pass
0 packets, 0 bytes

The external-self is matching a few packets.

Class-map: dhcp (match-all)
Match: access-group name dhcp-allow
Pass
2 packets, 628 bytes

MHM Cisco World · ‎11-22-2023

Instead of match all use match any for dhcp class map

After change share the the show again

Elliot Dierksen · ‎11-22-2023

I figured it out. The problem was the policy map entry for DHCP with "pass" in it was less preferred/lower in the policy than a generic protocol UDP one with "inspect" in it. I rearranged the policy so the DHCP class was the first one, and now it works.

MHM Cisco World · ‎11-22-2023

Happy ends

Have a nice day

Note:- please mark this post as solved

MHM

paul driver · ‎11-22-2023

Hello Elliot
Could your try the the following:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Elliot Dierksen · ‎11-23-2023

Edit: The bootpc stuff is required. See later note in the thread.

Is appears the bootps is all that is required. I made some changes and rebooted to be certain. Here is what I see in the log.

*Nov 23 09:26:24 EST: %FW-6-PASS_PKT: (target:class)-(external-self:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 58766
*Nov 23 09:28:07 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 0.0.0.0:68 => 255.255.255.255:67 with ip ident 66
Nov 23 09:43:14 EST: %FW-6-PASS_PKT: (target:class)-(self-external:bootps) Passing bootps pkt 192.168.1.21:68 => 192.168.1.1:67 with ip ident 9027

I haven't deleted the bootpc stuff, but I think I will shortly. Here is most of the relevant configuration.

class-map type inspect match-all bootpc
 match protocol bootpc
class-map type inspect match-all bootps
 match protocol bootps
!
policy-map type inspect external-self-policy
 class type inspect bootpc
  pass log
 class type inspect bootps
  pass log
 class type inspect external-self-inspect
  inspect
 class type inspect vpn-tunnel-traffic-class
  inspect
 class type inspect IPSEC
  inspect
 class class-default
  drop log
!
policy-map type inspect self-external-policy
 class type inspect bootpc
  pass log
 class type inspect bootps
  pass log
 class type inspect self-external-inspect
  inspect
 class type inspect IP-ALL
  inspect
 class class-default
  drop log
!
zone-pair security self-external source self destination external
 service-policy type inspect self-external-policy
zone-pair security external-self source external destination self
 service-policy type inspect external-self-policy

Elliot Dierksen · ‎11-23-2023

The bootpc stuff is required. It didn't generate the log file entries I thought it should have, but here is what matched from the firewallpolicy stats.

policy exists on zp self-external
  Zone-pair: self-external

  Service-policy inspect : self-external-policy

    Class-map: bootps (match-all)
      Match: protocol bootps
      Pass
        2 packets, 632 bytes

    Class-map: bootpc (match-all)
      Match: protocol bootpc
      Pass
        0 packets, 0 bytes
!
policy exists on zp external-self
  Zone-pair: external-self

  Service-policy inspect : external-self-policy

    Class-map: bootps (match-all)
      Match: protocol bootps
      Pass
        0 packets, 0 bytes

    Class-map: bootpc (match-all)
      Match: protocol bootpc
      Pass
        2 packets, 656 bytes