[c-nsp] ZBFW and DHCP
Andrew Jones
Andrew.Jones at alphawest.com.au
Wed Sep 14 00:59:36 EDT 2011
obvious question, but is DHCP passed in the service policy?
ie :
ip access-list extended al-dhcp
remark Permit DHCP Clients to be allocated an address by the router
permit udp any any eq bootpc
permit udp any any eq bootps
class-map type inspect match-all cm-dhcp
match access-group name al-dhcp
policy-map type inspect pm-dhcp
class type inspect cm-dhcp
pass
zone-pair security zp-untrusted-self source zo-untrusted destination self
service-policy type inspect pm-dhcp
you may need to reverse the acl so that it allows DHCP both ways, as this is to allow the router to serve DHCP.
ie
permit udp any eq bootpc any
Cheers,
Andrew Jones
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Voll
Sent: Wednesday, 14 September 2011 12:11 AM
To: Hughes, Scott GRE-MG
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ZBFW and DHCP
I have Zones for both inside self and outside self
Scott
On Mon, Sep 12, 2011 at 1:38 PM, Hughes, Scott GRE-MG
<SHughes at grenergy.com>wrote:
> Did you setup any zone-pairs involving the 'self' zone? If you don't use
> self zones, no additional configuration should be necessary for DHCP
> packets.
>
>
>
> On Sep 12, 2011, at 9:43 AM, "Scott Voll" <svoll.voip at gmail.com> wrote:
>
> > So I'm setting up a GRE IPSEC tunnel as my backup link with a 2821. I
> have
> > also setup ZBFW on the outside interface. So far so good.
> >
> > BUT now the outside interface will not get a DHCP address from the ISP.
> How
> > do I allow the Router to get a DHCP address? Did I miss something on the
> > ZBFW config? Or can this not be done?
> >
> > TIA
> >
> > Scott
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> NOTICE TO RECIPIENT: The information contained in this message from
> Great River Energy and any attachments are confidential and intended
> only for the named recipient(s). If you have received this message in
> error, you are prohibited from copying, distributing or using the
> information. Please contact the sender immediately by return email and
> delete the original message.
>
>
>
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list