[c-nsp] ZBFW and DHCP

Scott Voll svoll.voip at gmail.com
Wed Sep 14 16:50:39 EDT 2011 

that did it.... thanks!

Scott

On Tue, Sep 13, 2011 at 9:59 PM, Andrew Jones <Andrew.Jones at alphawest.com.au
> wrote:

> obvious question, but is DHCP passed in the service policy?
>
> ie :
>
> ip access-list extended al-dhcp
>  remark Permit DHCP Clients to be allocated an address by the router
>  permit udp any any eq bootpc
>  permit udp any any eq bootps
>
> class-map type inspect match-all cm-dhcp
>  match access-group name al-dhcp
>
> policy-map type inspect pm-dhcp
>  class type inspect cm-dhcp
>  pass
>
> zone-pair security zp-untrusted-self source zo-untrusted destination self
> service-policy type inspect pm-dhcp
>
>
> you may need to reverse the acl so that it allows DHCP both ways, as this
> is to allow the router to serve DHCP.
>
> ie
>
> permit udp any eq bootpc any
>
> Cheers,
>
> Andrew Jones
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Voll
> Sent: Wednesday, 14 September 2011 12:11 AM
> To: Hughes, Scott GRE-MG
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ZBFW and DHCP
>
> I have Zones for both inside self and outside self
>
> Scott
>
> On Mon, Sep 12, 2011 at 1:38 PM, Hughes, Scott GRE-MG
> <SHughes at grenergy.com>wrote:
>
> > Did you setup any zone-pairs involving the 'self' zone? If you don't use
> > self zones, no additional configuration should be necessary for DHCP
> > packets.
> >
> >
> >
> > On Sep 12, 2011, at 9:43 AM, "Scott Voll" <svoll.voip at gmail.com> wrote:
> >
> > > So I'm setting up a GRE IPSEC tunnel as my backup link with a 2821.  I
> > have
> > > also setup ZBFW on the outside interface.  So far so good.
> > >
> > > BUT now the outside interface will not get a DHCP address from the ISP.
> >  How
> > > do I allow the Router to get a DHCP address?  Did I miss something on
> the
> > > ZBFW config?  Or can this not be done?
> > >
> > > TIA
> > >
> > > Scott
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > NOTICE TO RECIPIENT: The information contained in this message from
> > Great River Energy and any attachments are confidential and intended
> > only for the named recipient(s). If you have received this message in
> > error, you are prohibited from copying, distributing or using the
> > information. Please contact the sender immediately by return email and
> > delete the original message.
> >
> >
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list