I recently acquired a cisco 881w router, and it seems to be working pretty good so far, except I've been running into problems with the Zone Based Firewall, particularly for DHCP on my WAN Interface. I have a CM100 Cable Modem (ISP = Comcast), plugged into my FastEthernet4 port (for WAN), and I configured that port with "Ip Address DHCP" and "No Shutdown". I have also set up NAT Overload for my inside devices to use the internet.
The problem is that after my Zone Based Firewall (Low) is setup, I lose my IP Address on my WAN interface.. It just disappears.. Same if I restart the router.
I checked my zone based firewall rules, and there is a entry for "outside >> inside, Allow BOOTPC" so my WAN interface should be able to get an IP Address right?
Attached is my running-config.
Gah.. Everytime I post here (after hours of bashing my head against problems) I find out what was wrong...
Apparently I had to allow bootps and bootpc from Out >> Self.. The CCP didn't do it for me even though I told it to (Still new to ACLs and Firewalls so i use CCP for it, do CLI for all the other stuff)
Oh well, if anyone runs into the same problem just be sure you have:
Self >> Out : bootps = allow
Out >> self : bootps + bootpc = allow
Would you mind revealing how you solved this? I'm trying to solve the same problem and have been unsuccessful so far with the firewall (I had solved it previously with ACLs, but the firewall is a different beast).
I'll try explain it as best as I can... This is how i did it from CCP, I'm not sure exactly how to do it on CLI yet.
1) Make sure you have your NAT Translations setup, and "ip address dhcp" on your WAN interface.
2) Start the Firewall Setup Wizard, and choose low/medium/high.
3) Choose your WAN interface as "outside untrusted" and your LAN interface as "inside trusted".
4) Continue to the end, the wizard will ask you if you want to allow your NAT Translations to pass through the firewall, pick yes.
5) Another prompt will ask you if you want to allow DHCP traffic through your firewall, pick yes.
6) Now there is one more thing to do, and you have to go to the "Edit Firewall Policy" Tab. You must make sure there are 2 policies setup. First make sure in "self to out-zone" that there is a policy for: "Source: any, destination: any, service: bootps (under misc), action: allow.
7) Next in "out-zone to self", make sure there is a single policy setup to allow BOTH 'bootps' and 'bootpc' (under misc). After I did this, DHCP on my WAN interface immediately began to work for me. Below is a screenshot of what it should look like:
Hope to help,
Hehe, like you, I figured out my problem not long after I posted that message. I was missing the self->out path. It always takes me a few days to figure out new cisco features. (I realize ZBFs have been out for a while, but I just got a new 2951 and CCP "introduced" them to me.)
Thanks for the reply!