I came across an interesting one today, where a Cisco Zone-Based Firewall needed to be reconfigured to serve DHCP for a segment connected to it in a zone called “Guest”. It already had a policy-map configured for traffic from Guest to Self, which had ACLs for SSH management.
First I tried adding these two lines to that ACL, in the existing class-map
permit udp any any eq bootpc permit udp any any eq bootps
Although I did see the ACL match counters increment, DHCP was not handing out addresses yet. A quick search led me to this page on the Cisco site. In the last paragraph, they state the following:
If the routers’ inside interface is acting as a DHCP server and if the clients that connect to the inside interface are the DHCP clients, this DHCP traffic is allowed by default if there is no inside-to-self or self-to-inside zone policy.
However, if either of those policies does exist, you need to configure a pass action for the traffic of interest (UDP port 67 or UDP port 68) in the zone pair service policy.
In my case, there was a policy configured but with the action set to
inspect. To fix it, I had to add a new ACL and class-map to the Guest-Self policy-map.
New ACL that matches the DHCP traffic. The source and destination is set to any because of the DHCP request format.
ip access-list extended Guest-Self-DHCP-ACL permit udp any any eq bootpc permit udp any any eq bootps
Tie the ACL to a new inspect class map:
class-map type inspect match-any Guest-Self-DHCP-CMap match access-group name Guest-Self-DHCP-ACL
And finally, add the class-map to the policy-map with the
policy-map type inspect Guest-Self-PMap class type inspect Guest-Self-CMap inspect class type inspect Guest-Self-DHCP-CMap pass log class class-default drop
After that the clients started receciving IP addresses again.
ZBFW-ROUTER#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.200.201 014d.970e.4136.af Oct 21 2015 10:43 AM Automatic