Re: IOS 12.4(20) ZBF - DHCP server problems in Cisco

Re: IOS 12.4(20) ZBF - DHCP server problems in Cisco http://www.dslreports.com/forum/r20931986 en Wed, 11 Nov 2009 03:29:58 EDT Wed, 11 Nov 2009 03:29:58 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,21009007 mr_dirt :

said by hoover87

:

You may want to try the latest 124-15.XZ code as it usually has more bug fixes than the mainline releases.

12.4(15)XZ was released before 12.4(20)T, at a time when the infrastructure under (20)T FW was still in development. You'll have bigger problems than DHCP not working if you load (15)XZ (CSCsm15782).

Marko, sorry I haven't replied. I've had my hands full. Give me a little time.]]> http://www.dslreports.com/forum/remark,21009007 Tue, 26 Aug 2008 11:55:56 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,21008463 hoover87 : You may want to try the latest 124-15.XZ code as it usually has more bug fixes than the mainline releases.
--
»www.ketchumits.com]]> http://www.dslreports.com/forum/remark,21008463 Tue, 26 Aug 2008 10:07:53 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,21007786 mocah : I was testing config over a weekend. Unfortunately I still did not find solution how to allow DHCP traffic.
Firewall is reporting following:

Also I noticed that ARP table is not showing clients with dynamic IP addres, only static ones.

Thank you and kind regards,M
]]> http://www.dslreports.com/forum/remark,21007786 Tue, 26 Aug 2008 03:56:41 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20938078 mocah : I have the same problem on Cisco 871. Because the config on Cisco 871 is simpler I will post that config:

C871#sh runBuilding configuration... Current configuration : 8659 bytes!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname C871!boot-start-markerboot-end-marker!security authentication failure rate 2 logsecurity passwords min-length 10logging message-counter syslogno logging consoleenable secret 5 $!aaa new-model!!!!aaa session-id commonclock timezone CET 1clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00!crypto pki trustpoint TP-self-signed-2100979184 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2100979184 revocation-check none rsakeypair TP-self-signed-2100979184!!crypto pki certificate chain TP-self-signed-2100979184 certificate self-signed 01  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030  5BAA36E2 2F597053 33C8C451        quitdot11 syslogno ip source-route!!no ip dhcp use vrf connectedno ip dhcp conflict loggingip dhcp excluded-address 192.168.1.1 192.168.1.5!ip dhcp pool VLAN1   import all   network 192.168.1.0 255.255.255.0   default-router 192.168.1.1   dns-server xxx.xxx.xxx.13 xxx.xxx.xxx.23   lease 7 7 7!!ip cefno ip bootp serverno ip domain lookupip domain name koli.netip port-map http port tcp 8080login block-for 305 attempts 2 within 100!no ipv6 cefmultilink bundle-name authenticated!password encryption aes!!username mogul privilege 15 secret 5 $1$xpjH$q !!!archive log config  hidekeys!!ip ssh authentication-retries 2ip ssh logging eventsip ssh version 2!class-map type inspect match-any p2p-cmap match protocol bittorrent match protocol bittorrent signatureclass-map type inspect match-any Internet-cmap match protocol http match protocol https match protocol ssh match protocol ftp match protocol ftps match protocol icmp match protocol pop3s match protocol bittorrent match protocol bittorrent signatureclass-map type inspect match-any ISPtraffic match protocol dns match protocol pop3 match protocol smtp extended match protocol ntpclass-map type inspect match-all ISPtraffic-cmap match access-group name ISPtraffic match class-map ISPtrafficclass-map type inspect match-all PING-cmap match access-group name ICMPclass-map type inspect match-all TIME-cmap match access-group name TIMEclass-map type inspect match-all RouterManagement-cmap match access-group name RouterManagementclass-map type inspect match-all DHCP-cmap match access-group name DHCPclass-map type inspect match-all SSHaccess-cmap match access-group name SSHaccess!!policy-map type inspect Inside2Router-pmap class type inspect RouterManagement-cmap  inspect class type inspect PING-cmap  inspect class type inspect DHCP-cmap  inspect class class-default  droppolicy-map type inspect Router2Inside-pmap class type inspect RouterManagement-cmap  inspect class type inspect PING-cmap  inspect class type inspect DHCP-cmap  inspect class class-default  droppolicy-map type inspect Outside2Router-pmap class type inspect SSHaccess-cmap  inspect class type inspect PING-cmap  inspect class class-default  droppolicy-map type inspect Router2Outside-pmap class type inspect SSHaccess-cmap  inspect class type inspect PING-cmap  inspect class type inspect TIME-cmap  inspectpolicy-map type inspect Inside2Outside-pmap class type inspect Internet-cmap  inspect class type inspect ISPtraffic-cmap  inspect class class-default  droppolicy-map type inspect Outside2Inside-pmap class type inspect p2p-cmap  inspect class class-default  drop!zone security Private description LANzone security WAN description WANzone security DMZ description DMZzone-pair security Inside2Outside source Private destination WAN service-policy type inspect Inside2Outside-pmapzone-pair security Outside2Router source WAN destination self service-policy type inspect Outside2Router-pmapzone-pair security Router2Outside source self destination WAN service-policy type inspect Outside2Router-pmapzone-pair security Lan2Router source Private destination self service-policy type inspect Inside2Router-pmapzone-pair security Router2Lan source self destination Private service-policy type inspect Router2Inside-pmapzone-pair security Outside2Inside source WAN destination Private description Za p2p protocol bittorent service-policy type inspect Outside2Inside-pmap!!!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4 description $ETH-WAN$ no ip address no ip unreachables zone-member security WAN duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1!interface Vlan1 description Local LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security Private ip tcp adjust-mss 1452!interface Dialer1 description IP address xxx.xxx.xxx.xxx ip address negotiated no ip unreachables ip mtu 1492 ip nat outside ip virtual-reassembly zone-member security WAN encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname username12 ppp chap password 7 0118423346756343!interface Dialer0 no ip address no cdp enable!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer1no ip http serverno ip http secure-server!!ip nat inside source list 1 interface Dialer1 overloadip nat inside source static udp 192.168.1.10 6885 interface Dialer1 6885ip nat inside source static tcp 192.168.1.10 6881 interface Dialer1 6881ip nat inside source static tcp 192.168.1.10 6882 interface Dialer1 6882ip nat inside source static tcp 192.168.1.10 6883 interface Dialer1 6883ip nat inside source static tcp 192.168.1.10 6884 interface Dialer1 6884ip nat inside source static tcp 192.168.1.10 6885 interface Dialer1 6885ip nat inside source static tcp 192.168.1.10 6886 interface Dialer1 6886ip nat inside source static tcp 192.168.1.10 6887 interface Dialer1 6887ip nat inside source static tcp 192.168.1.10 6888 interface Dialer1 6888ip nat inside source static tcp 192.168.1.10 6889 interface Dialer1 6889!ip access-list extended DHCP permit udp any any eq bootps permit udp any any eq bootpcip access-list extended ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit icmp any any host-unreachable permit icmp any any packet-too-big deny   icmp any any fragmentsip access-list extended ISPtraffic permit udp any host xxx.xxx.160.13 eq domain permit udp any host xxx.xxx.160.23 eq domain permit tcp any any eq pop3 permit tcp any any eq smtpip access-list extended RouterManagement permit tcp any any eq 22 permit tcp any any eq 443ip access-list extended SSHaccess permit tcp any any eq 22ip access-list extended TIME permit udp any any eq ntp!access-list 1 remark Access List for Dialer 1access-list 1 permit 192.168.1.0 0.0.0.255dialer-list 1 protocol ip permitno cdp run !!!!!control-plane!!line con 0 no modem enableline aux 0line vty 0 4 transport input ssh transport output ssh!scheduler max-task-time 5000ntp server xxx.xxx.xxx.xxxend C871#

]]> http://www.dslreports.com/forum/remark,20938078 Tue, 12 Aug 2008 09:54:09 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20934968 mr_dirt : Can you post your revised configuration, please?]]> http://www.dslreports.com/forum/remark,20934968 Mon, 11 Aug 2008 17:25:22 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20931986 mocah : I opened (with ACL) ports UDP 67 and 68 to and from Self zone. Unfortunately clients still do not get IP address from server.

Any other way to allow DHCP traffic from Self zone to "private" one?]]> http://www.dslreports.com/forum/remark,20931986 Mon, 11 Aug 2008 04:46:22 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20806271 mr_dirt : Thanks for posting your config. If anything, I suspect that 12.4(20)T fixed a problem that you were relying on being broken. ;)

Unless I'm mistaken, your configuration makes no allowance for bootp/dhcp client requests to the router's dhcp server. In the past, I suspect that dhcp requests were following a code path that didn't call the firewall. With the changes to the FW (need to locate a doc that describes the changes), the FW gets better control over the various router-local capabilities, including, apparently, the DHCP interaction.

If you add inspection or pass for the dhcp traffic in one of the class-maps in your 'Vlan2Self-pmap', this should sort this out.]]> http://www.dslreports.com/forum/remark,20806271 Thu, 17 Jul 2008 13:28:02 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20804198 mocah : Here is config:

dot11 syslogip source-route!!no ip dhcp use vrf connected!ip dhcp pool computers2   import all   network 192.168.22.16 255.255.255.240   default-router 192.168.250.17   dns-server xxx.xxx.209.77 xxx.xxx.210.77   domain-name nx.com   lease 7 7 7!!ip cefip domain name C1ip port-map http port tcp 8080login block-for 305 attempts 2 within 20!no ipv6 cefmultilink bundle-name authenticated!!!username krenn privilege 15 secret 5 $!!archive log config  hidekeys!!ip ssh authentication-retries 2ip ssh version 2!class-map type inspect match-any Management-cmap match access-group name Managementclass-map type inspect match-all Time-cmap match access-group name TIMEserver match protocol ntpclass-map type inspect match-any Internet-cmap match protocol dns match protocol http match protocol https match protocol ssh match protocol ftp match protocol pop3 match protocol pop3s match protocol smtp extendedclass-map type inspect match-all ICMP2-cmap match protocol icmp match access-group name ICMPclass-map type inspect match-all TIMEaccess-cmap match access-group name TIMEserverclass-map type inspect match-all ICMP-cmap match access-group name ICMPclass-map type inspect match-all SSHaccess-cmap match access-group name SSHaccess!!policy-map type inspect Internet-cmap class type inspect Time-cmap  inspectpolicy-map type inspect Vlan2Self-pmap class type inspect SSHaccess-cmap  inspect class type inspect ICMP-cmap  inspect class type inspect Management-cmap  inspect class type inspect TIMEaccess-cmap  inspect class class-default  droppolicy-map type inspect Internet-pmap class type inspect Internet-cmap  inspect class type inspect ICMP2-cmap  inspect class class-default  droppolicy-map type inspect Outside2Router-pmap class type inspect SSHaccess-cmap  inspect class type inspect ICMP-cmap  inspect class class-default  drop!zone security WAN description WAN FE0zone security DMZ description Port to ASA5505 FE1zone security VLAN1 description Link to Cisco 1712zone security private description Link to Computerszone-pair security Outside2Router source WAN destination self service-policy type inspect Outside2Router-pmapzone-pair security Vlan2Self source private destination self service-policy type inspect Vlan2Self-pmapzone-pair security Self2Vlan source self destination private service-policy type inspect Vlan2Self-pmapzone-pair security Self2Vlan1 source self destination VLAN1 service-policy type inspect Vlan2Self-pmapzone-pair security Vlan1toSelf source VLAN1 destination self service-policy type inspect Vlan2Self-pmapzone-pair security Computers2DMZ source private destination DMZ service-policy type inspect Internet-pmapzone-pair security Vlan1-2-DMZ source VLAN1 destination DMZ service-policy type inspect Internet-pmapzone-pair security Vlan1-2-Vlan3 source VLAN1 destination private service-policy type inspect Internet-pmapzone-pair security Vlan3-2Vlan1 source private destination VLAN1 service-policy type inspect Internet-pmapzone-pair security DMZ2Self source DMZ destination self service-policy type inspect Vlan2Self-pmapzone-pair security Self2DMZ source self destination DMZ service-policy type inspect Vlan2Self-pmapzone-pair security Self2outside source self destination WAN service-policy type inspect Outside2Router-pmap!!!interface FastEthernet0 description WAN interface ip address xxx.xxx.xxx.184 255.255.0.0 zone-member security WAN duplex auto speed auto!interface FastEthernet1 description Link to ASA5505 DMZ ip address 192.168.24.2 255.255.255.240 zone-member security DMZ duplex auto speed auto!interface BRI0 no ip address encapsulation hdlc shutdown!interface FastEthernet2 description Computer link switchport access vlan 3!interface FastEthernet3 description Computer link switchport access vlan 3!interface FastEthernet4 description Computer link switchport access vlan 3!interface FastEthernet5 description Computer link switchport access vlan 3!interface FastEthernet6 description not assignet yet!interface FastEthernet7 description not assignet yet!interface FastEthernet8 description not assignet yet!interface FastEthernet9 description DMZ zone!interface Vlan1 description Link to Cisco 1712 ip address 192.168.22.33 255.255.255.252 zone-member security VLAN1!interface Vlan3 description Interfaces to Computers ip address 192.168.22.17 255.255.255.240 zone-member security private!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 192.168.24.1no ip http serverno ip http secure-server!!!ip access-list extended ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit icmp any any host-unreachableip access-list extended Management permit tcp any any eq 443ip access-list extended SSHaccess permit tcp any any eq 22ip access-list extended TIMEserver permit udp any any eq ntp!!!!!!!!control-plane!!line con 0 exec-timeout 200 0 password 7 0602002F4230FA93line aux 0line vty 0 4 transport input ssh transport output ssh!ntp server xxx.xxx.xxx.66

I am going to vacation for 14 days so I wont be able to reply.

Thank you and kind regards,M
]]> http://www.dslreports.com/forum/remark,20804198 Thu, 17 Jul 2008 02:51:39 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20801350 mocah : I have used the same configuration for at least 6 months. The only way that I can use DHCP server from router is if I disable ZBF. Currently I can not access router but I will post config tomorrow.]]> http://www.dslreports.com/forum/remark,20801350 Wed, 16 Jul 2008 16:02:25 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20800573 mr_dirt :

said by mocah

:

Hi,
After upgrade DHCP server stoped working if Zone Based Firewall is configured on interfaces

Did the same firewall policy work prior to the upgrade?

12.4(20)T introduces a new firewall infrastructure, so there are probably a lot of corner cases that aren't fully tested. It look like you found one. :p

Any chance you post the policy-maps, class-maps, and zone-pair configuration between the zone where DHCP fails, and the self zone?]]> http://www.dslreports.com/forum/remark,20800573 Wed, 16 Jul 2008 13:45:35 EDT Re: IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20799308 aryoba : There are probably something on the Zone-Based Firewall configuration that prevent the DHCP mechanism to work. Did you run packet tracer and troubleshoot further to find out which configuration part that prevent the DHCP mechanism to work?]]> http://www.dslreports.com/forum/remark,20799308 Wed, 16 Jul 2008 09:54:06 EDT IOS 12.4(20) ZBF - DHCP server problems http://www.dslreports.com/forum/remark,20798575 mocah : Hi,

recently I have installed new IOS 12.4(20) on Cisco 1812. After upgrade DHCP server stoped working if Zone Based Firewall is configured on interfaces if ZBF is not configured on interfaces than DHCP server is works.
Does any body have similar problem?]]> http://www.dslreports.com/forum/remark,20798575 Wed, 16 Jul 2008 03:41:23 EDT