CBAC and DHCP

Mark KnutsonMark Knutson Member Posts: 73 ■■□□□□□□□□
I have been working on configuring a 3640 as my home network firewall. The outward facing fastethernet interface needs to get its ip address from the isp using dhcp. I got nat/pat working, and dhcp server for the inside network, but kind of got stuck on CBAC access rules.

I set up a deny all rule with CBAC to dynamically add permit exceptions to it in response to connections initiated from the internal network.

Problem is, in doing this, the outward facing fastethernet lost its dhcp acquired ip address once I set the deny all, and the ACL rule I believe is preventing it from re-acquiring a new one.

I have spent quite some time with internet searching and cisco documentation, but am still at a loss as to how to enable the router to get its ip address once I set up the cbac scheme.

Any help along these lines would be much appreciated. I looked at the list of protocols for CBAC inspect rules, but did not see a DHCP acquire one.

Also, I have not been able to locate instructions on how to get a 3640 fast ethernet interface to try and re-acquire a dhcp address when it does not have one. A reload of the entire system does it, but that is quite time-consuming.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    You can just allow DHCP before the deny all.
    An expert is a man who has made all the mistakes which can be made.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    CBAC does not work for traffic originated by the Router itself, as networker050184 said statically configure the ACL to allow it.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Mark KnutsonMark Knutson Member Posts: 73 ■■□□□□□□□□
    Thanks, guys. I will implement the suggestion.
  • Mark KnutsonMark Knutson Member Posts: 73 ■■□□□□□□□□
    Ok, I have my 3640 configured and up and running per suggestions here. What I am wondering is if I have opened up a security hole with the acl permit I used to allow it to act as a dhcp client of the ISP. This is what I am seeing:

    c3640#sh access-lists
    Standard IP access list 1
    10 permit 10.1.2.0, wildcard bits 0.0.0.255 (1445 matches)
    Extended IP access list wan-acl
    10 permit udp any eq bootps any eq bootpc (17265 matches)
    20 deny ip any any (4591 matches)

    Access list 1 is part of the nat configuration. wan-acl is applied to the wan side fastethernet in the 'in' direction. There are a bunch of inspections set up, and the router is functioning well as a firewall/dhcp server/nat.

    This is from about 8 hours, and I am seeing lots of activity against the udp ports. Does opening up the udp ports to allow source port of bootps and destination port of bootpc represent a security risk? And if so, is there a better way to enable a dhcp client.

    Any assistance along these lines is much appreciated. What I have is the best I could figure out after quite a bit of reading and googling.
  • JavonRJavonR Member Posts: 245
    Instead of implementing something like this:

    10 permit udp any eq bootps any eq bootpc

    You could try specifying your ISP's specific dhcp server:

    10 permit udp host x.x.x.x eq bootps any eq bootpc

    x.x.x.x = your ISP default gateway.
  • Mark KnutsonMark Knutson Member Posts: 73 ■■□□□□□□□□
    JavonR wrote: »
    Instead of implementing something like this:

    10 permit udp any eq bootps any eq bootpc

    You could try specifying your ISP's specific dhcp server:

    10 permit udp host x.x.x.x eq bootps any eq bootpc

    x.x.x.x = your ISP default gateway.

    Good idea, I will look into that. I need to check with them to see if its an ip address that does not change. Its comcast--and from their mac address, its cisco gear I am talking to.

    Update: Spoke with comcast and their dhcp server/gateway ip address is static, so I can code my acl to that.

    Just found out I have to add gre to the permit list to get vpn to work.

    Update: Added the gre permit and the vpn started working. Going to declare this 3640 as officially placed into service as my home router. Thanks for the help here!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    You could also secure your other interfaces from DHCP, deny it incoming/outgoing on them to block transit traffic (mostly outgoing to block any floods, with no ip helper configured internal requests should die anyway)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.