[Config] access-list, dhcp

Forums » Equipment Support » Hardware By Brand » Cisco » [Config] access-list, dhcp


Uniqs: 270	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread

[Config] PIX best practices »
« Cisco PIX OS 7.0

lonebandit

join:2001-12-01
Oak Creek, WI

·AT&T U-Verse

[Config] access-list, dhcp

I am running a 2801 router and enabled the DHCP server for my LAN... it's working well...but I had a question...

I use an access-list on my fas0/0 (lan side) and different access-lists on my fas0/1 (wan side).

My current applied access list on fas0/0:
interface FastEthernet0/0
description INSIDE LAN
ip access-group to-internet in

and the list looks like this:
ip access-list extended to-internet
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
permit ip 192.168.1.0 0.0.0.255 any

...this configuration seems to BLOCK dhcp client requests into the interface.

So I changed this list as follows:
ip access-list extended to-internet
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
permit ip any

..this now permits the clients to obtain a DHCP address....but I was wondering if there could be a better way to do this....

Any comments WILL be appreciated.

-JD

permalink · 2006-02-20 19:45:30 · Print ·

thebajaguy Premium join:2006-01-06 Oaklyn, NJ	Re: [Config] access-list, dhcp I dug back into the discussions and saw a note about UDP port 67 being DHCP related communications. I didn't confirm it with another source, so I'd suggest you check it out further.
	permalink · 2006-02-20 19:59:42 ·

lonebandit join:2001-12-01 Oak Creek, WI	Re: [Config] access-list, dhcp yea...I figured something like this should be needed....but wasnt sure. So I am on the right track -JD
	permalink · 2006-02-20 20:03:43 ·

Phraxos
Premium
join:2004-06-12
UK

1 edit

Re: [Config] access-list, dhcp

The way to fix these sorts of problems is to have a deny ip any any log at the end of the ACL. You trigure the problem behaviour and check the log sh log and you will see what is being blocked.

Usually you can nail it in two minutes.

BTW it is good practice to have that line anyway at the end of the ACLs then you can always have a quick look at the log to check for suspicious behaviour.

[Edit] I could just tell you what you need for DHCP but I'm a heartless bastard and this way you will learn so much more

permalink · 2006-02-21 03:31:33 · Print ·

lonebandit join:2001-12-01 Oak Creek, WI	Re: [Config] access-list, dhcp I probably know what I need to add there...one or both of these: bootps 67/udp BOOTP/DHCP server bootpc 68/udp BOOTP/DHCP client I just wanted an opinion about this. And I guess I got it. -JD
	permalink · 2006-02-21 06:22:41 ·

your comment..

Forums » Equipment Support » Hardware By Brand » Cisco	[Config] PIX best practices » « Cisco PIX OS 7.0


Wednesday, 25-Nov 00:34:18	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF