Solved: Re: Cisco 1841 Block all incoming but allow UDP for DHCP only

phillh1974 · ‎07-27-2020

Hi all.

I've decided to apply some security settings to the WAN facing port f0/0 to allow only TCP, UDP & ICMP connections that originate from within my LAN. I've added some ip inspect out rules and an access-list 101 deny ip any any on int f0/0.

I've found today when there is an issue with my ISP or if de-patch / shut / no shut int f0/0 I no longer receive a DHCP address from my ISP, I've found that the command ip access-group 101 in blocks the DHCP assignment. Is there a way that I can amend access-list 101 to allow my WAN port DHCP only, blocking all other UDP ports?

My config is as below.

Current configuration : 6401 bytes
!
! Last configuration change at 13:57:29 UTC Mon Jul 27 2020
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Bandicoot
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$VYHY$4MQyLGEQQTFkAQKo4WbUV1
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.100 192.168.1.254
ip dhcp excluded-address 192.168.5.1
!
ip dhcp pool pool-192.168.1.0
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
 dns-server 8.8.8.8 
 lease 20
!
ip dhcp pool vlan5
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1 
 dns-server 8.8.8.8 
 lease 3
!
!
ip cef
ip inspect L2-transparent dhcp-passthrough
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
 l2-transparent dhcp-passthrough enable
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ152292GM
!
redundancy
!
!
! 
!
!
!
!
!
!
 interface FastEthernet0/0
 description WAN Interface
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 ip inspect FW out
 no ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description LAN Interface
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 101 deny   ip any any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 password xxxxxxxx
 logging synchronous
line aux 0
line vty 0 4
 password xxxxxxxx
 login
 transport input all
!
scheduler allocate 20000 1000
end

Thank you for your time.

Phill