07-27-2020 06:47 AM
Hi all.
I've decided to apply some security settings to the WAN facing port f0/0 to allow only TCP, UDP & ICMP connections that originate from within my LAN. I've added some ip inspect out rules and an access-list 101 deny ip any any on int f0/0.
I've found today when there is an issue with my ISP or if de-patch / shut / no shut int f0/0 I no longer receive a DHCP address from my ISP, I've found that the command ip access-group 101 in blocks the DHCP assignment. Is there a way that I can amend access-list 101 to allow my WAN port DHCP only, blocking all other UDP ports?
My config is as below.
Current configuration : 6401 bytes ! ! Last configuration change at 13:57:29 UTC Mon Jul 27 2020 version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Bandicoot ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$VYHY$4MQyLGEQQTFkAQKo4WbUV1 ! no aaa new-model ! dot11 syslog ip source-route ! ! ! ip dhcp excluded-address 192.168.1.1 192.168.1.49 ip dhcp excluded-address 192.168.1.100 192.168.1.254 ip dhcp excluded-address 192.168.5.1 ! ip dhcp pool pool-192.168.1.0 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 lease 20 ! ip dhcp pool vlan5 network 192.168.5.0 255.255.255.0 default-router 192.168.5.1 dns-server 8.8.8.8 lease 3 ! ! ip cef ip inspect L2-transparent dhcp-passthrough ip inspect name FW tcp ip inspect name FW udp ip inspect name FW icmp no ipv6 cef ! multilink bundle-name authenticated ! parameter-map type inspect global l2-transparent dhcp-passthrough enable crypto pki token default removal timeout 0 ! ! ! ! license udi pid CISCO1841 sn FCZ152292GM ! redundancy ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 description WAN Interface ip address dhcp ip access-group 101 in ip nat outside ip inspect FW out no ip virtual-reassembly in duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description LAN Interface ip address 192.168.1.1 255.255.255.0 ip nat inside no ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/1.5 encapsulation dot1Q 5 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 1 interface FastEthernet0/0 overload ip nat inside source list 2 interface FastEthernet0/0 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.5.0 0.0.0.255 access-list 101 deny ip any any ! ! ! ! ! ! control-plane ! ! ! line con 0 password xxxxxxxx logging synchronous line aux 0 line vty 0 4 password xxxxxxxx login transport input all ! scheduler allocate 20000 1000 end
Thank you for your time.
Phill
Solved! Go to Solution.
07-27-2020 08:26 AM
Hello @phillh1974 ,
you can try the following modified version
access-list 101 permit udp any any eq 67
access-list 101 permit udp any any eq 68
access-list 101 deny ip any any
67 and 68 should be the ports associated to DHCP process
see
http://www.tcpipguide.com/free/t_BOOTPClientServerMessagingandAddressing-2.htm
Hope to help
Giuseppe
07-27-2020 08:26 AM
Hello @phillh1974 ,
you can try the following modified version
access-list 101 permit udp any any eq 67
access-list 101 permit udp any any eq 68
access-list 101 deny ip any any
67 and 68 should be the ports associated to DHCP process
see
http://www.tcpipguide.com/free/t_BOOTPClientServerMessagingandAddressing-2.htm
Hope to help
Giuseppe
07-27-2020 01:03 PM
Hi Giuseppe.
Thanks for the reply, this works perfect.
Cheers :-)
Phill
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide