SimonV's Blog-Allowing inbound DHCP requests on a Cisco ZBFW

Started by SimonV, September 19, 2018, 06:04:26 AM

Previous topic - Next topic

SimonV

Allowing inbound DHCP requests on a Cisco ZBFW

I came across an interesting one today, where a Cisco Zone-Based Firewall needed to be reconfigured to serve DHCP for a segment connected to it in a zone called “Guest”. It already had a policy-map configured for traffic from Guest to Self, which had ACLs for SSH management. First I tried adding these two lines … Continue reading Allowing inbound DHCP requests on a Cisco ZBFW

I came across an interesting one today, where a Cisco Zone-Based Firewall needed to be reconfigured to serve DHCP for a segment connected to it in a zone called “Guest”. It already had a policy-map configured for traffic from Guest to Self, which had ACLs for SSH management. 


First I tried adding these two lines to that ACL, in the existing class-map



permit udp any any eq bootpc
permit udp any any eq bootps

Although I did see the ACL match counters increment, DHCP was not handing out addresses yet. A quick search led me to this page on the Cisco site. In the last paragraph, they state the following:


If the routers’ inside interface is acting as a DHCP server and if the clients that connect to the inside interface are the DHCP clients, this DHCP traffic is allowed by default if there is no inside-to-self or self-to-inside zone policy.

However, if either of those policies does exist, you need to configure a pass action for the traffic of interest (UDP port 67 or UDP port 68) in the zone pair service policy.


In my case, there was a policy configured but with the action set to inspect. To fix it, I had to add a new ACL and class-map to the Guest-Self policy-map.


New ACL that matches the DHCP traffic. The source and destination is set to any because of the DHCP request format.



ip access-list extended Guest-Self-DHCP-ACL
permit udp any any eq bootpc
permit udp any any eq bootps

Tie the ACL to a new inspect class map:



class-map type inspect match-any Guest-Self-DHCP-CMap
match access-group name Guest-Self-DHCP-ACL

And finally, add the class-map to the policy-map with the pass action



policy-map type inspect Guest-Self-PMap
class type inspect Guest-Self-CMap
  inspect
class type inspect Guest-Self-DHCP-CMap
  pass log
class class-default
  drop

After that the clients started receciving IP addresses again.



ZBFW-ROUTER#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.200.201     014d.970e.4136.af       Oct 21 2015 10:43 AM    Automatic

Source: Allowing inbound DHCP requests on a Cisco ZBFW