03-06-2015 06:03 PM - edited 03-07-2019 10:59 PM
Hello,
First time posting so forgive me and redirect me if I'm posting in the wrong area. I'm a student studying for cisco ccna and am also doing some setup on my home network with cisco 1841 router.
trying to configure it now to get a dhcp address in fa0/0 from my cable modem. Problem I'm having is that my acl is blocking the request. I have stateful firewall turned on inbound on fa0/0. Hoping someone can help me understand a secure way to get a dhcp ip address from the modem? Similarly to how a typical home router does. As you can see the 'Firewall' ACL blocks all packets not allowed via the packet inspection, and fa0/0 is default gateway out.
sample config:
!
!
ip inspect name Firewall-SPI tcp
ip inspect name Firewall-SPI udp
ip inspect name Firewall-SPI icmp
spanning-tree mode pvst
!
!
interface FastEthernet0/0
ip address dhcp
ip access-group Firewall in
ip nat outside
ip inspect Firewall-SPI out
!
!
ip nat inside source list NATCHECK interface FastEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip access-list standard NATCHECK
permit any
!
ip access-list extended Firewall
deny ip any any
!
suggestions appreciated, thanks!
Solved! Go to Solution.
03-06-2015 06:23 PM
Try modifying your Firewall acl -
ip access-list extended Firewall
permit udp any eq bootps any eq bootpc
deny ip any any
also your NAT acl probably won't work because you are using "any" as the source subnet and NAT often doesn't like this.
By all means use a standard acl, I usually just use an extended acl but up to you eg if your inside LAN was 192.168.10.0/24 then -
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 101 interface fa0/0 overload
Finally you may want to try using -
ip route 0.0.0.0 0.0.0.0 dhcp
and see if that works. The issue with using an interface is your router has to arp out for every internet address because it thinks every IP is in effect local.
Edit - forgot to say, yes, you chose the right place to post and welcome to the forums :-)
Jon
03-06-2015 06:23 PM
Try modifying your Firewall acl -
ip access-list extended Firewall
permit udp any eq bootps any eq bootpc
deny ip any any
also your NAT acl probably won't work because you are using "any" as the source subnet and NAT often doesn't like this.
By all means use a standard acl, I usually just use an extended acl but up to you eg if your inside LAN was 192.168.10.0/24 then -
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 101 interface fa0/0 overload
Finally you may want to try using -
ip route 0.0.0.0 0.0.0.0 dhcp
and see if that works. The issue with using an interface is your router has to arp out for every internet address because it thinks every IP is in effect local.
Edit - forgot to say, yes, you chose the right place to post and welcome to the forums :-)
Jon
03-12-2015 03:48 PM
thank you :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide