Announcement

Collapse
No announcement yet.

Trouble with DHCP client on WAN Interface

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trouble with DHCP client on WAN Interface

    I've been perusing the forums on various sites for a while now, and I'm having no luck, so I thought I'd actually post my question and see if anybody has seen it before..

    My problem is this: I have a brand new SR520 Router and I can't get it to get an ip address on it's external interface.. I've tried on a few different DHCP servers (whatever my ISP is using, as well as a Windows 2008 DHCP server back at the office). Every time, it fails to get an ip address.. I have a very basic config.. it's a dhcp server and that portion is working just fine.. I have removed any acl's that might be causing problems..

    Below is the output from having
    Code:
    debug dhcp
    and running
    Code:
    renew dhcp fastethernet 4
    Code:
    May 31 03:16:04.579: DHCP: DHCP client process started: 10
    May 31 03:16:04.579: RAC: Starting DHCP discover on FastEthernet4
    May 31 03:16:04.579: DHCP: Try 1 to acquire address for FastEthernet4
    May 31 03:16:04.587: DHCP: allocate request
    May 31 03:16:04.587: DHCP: new entry. add to queue, interface FastEthernet4
    May 31 03:16:04.587: DHCP: SDiscover attempt # 1 for entry:
    May 31 03:16:04.587: DHCP: SDiscover: sending 292 byte length DHCP packet
    May 31 03:16:04.587: DHCP: SDiscover 292 bytes
    May 31 03:16:04.587:             B'cast on FastEthernet4 interface from 0.0.0.0
    May 31 03:16:07.664: DHCP: SDiscover attempt # 2 for entry:
    May 31 03:16:07.664: DHCP: SDiscover: sending 292 byte length DHCP packet
    May 31 03:16:07.664: DHCP: SDiscover 292 bytes
    May 31 03:16:07.664:             B'cast on FastEthernet4 interface from 0.0.0.0
    May 31 03:16:11.664: DHCP: SDiscover attempt # 3 for entry:
    May 31 03:16:11.664: DHCP: SDiscover: sending 292 byte length DHCP packet
    May 31 03:16:11.664: DHCP: SDiscover 292 bytes
    May 31 03:16:11.664:             B'cast on FastEthernet4 interface from 0.0.0.0r                                                                               elease dhcp fast
    May 31 03:16:11.664:%Unknown DHCP problem.. No allocation possible
    And here's the config, in case you were curious about what I've done in there.. I've cut out anything that is sensitive or is not applicable to the problem above..

    There's some 192.168.75.1 NAT translations still there from the default ip pool, however it's not in use, and I didn't clean it up yet (because I can't get the dhcp client portion working)

    Code:
    Building configuration...
    
    Current configuration : 5785 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 $1$dwz4$pcQSxwRdmVHyxXajc7D/R.
    enable password <not necessary>
    !
    no aaa new-model
    clock timezone MST -7
    clock summer-time MDT recurring
    !
    crypto pki trustpoint TP-self-signed-3955684171
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-3955684171
     revocation-check none
     rsakeypair TP-self-signed-3955684171
    !
    !
    crypto pki certificate chain TP-self-signed-3955684171
     certificate self-signed 01
      <not necessary>
            quit
    dot11 syslog
    ip source-route
    !
    !
    ip dhcp excluded-address 192.168.129.1 192.168.129.15
    ip dhcp excluded-address 192.168.129.134
    !
    ip dhcp pool inside
       import all
       network 192.168.129.0 255.255.255.0
       default-router 192.168.129.1
    !
    !
    ip cef
    !
    no ipv6 cef
    multilink bundle-name authenticated
    !
    !
    username cisco privilege 15 secret 5 $1$ZPq3$mvkHhNptuTcH9ceBDByVA0
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    !
    class-map type inspect match-any SDM-Voice-permit
     match protocol h323
     match protocol skinny
     match protocol sip
    class-map type inspect match-any sdm-cls-icmp-access
     match protocol icmp
     match protocol tcp
     match protocol udp
    class-map type inspect match-any sdm-cls-insp-traffic
     match protocol cuseeme
     match protocol dns
     match protocol ftp
     match protocol h323
     match protocol https
     match protocol icmp
     match protocol imap
     match protocol pop3
     match protocol netshow
     match protocol shell
     match protocol realmedia
     match protocol rtsp
     match protocol smtp extended
     match protocol sql-net
     match protocol streamworks
     match protocol tftp
     match protocol vdolive
     match protocol tcp
     match protocol udp
    class-map type inspect match-all sdm-invalid-src
     match access-group 100
    class-map type inspect match-all sdm-protocol-http
     match protocol http
    !
    !
    policy-map type inspect sdm-permit-icmpreply
     class type inspect sdm-cls-icmp-access
      inspect
     class class-default
      pass
    policy-map type inspect sdm-inspect
     class type inspect sdm-invalid-src
      drop log
     class type inspect sdm-cls-insp-traffic
      inspect
     class type inspect sdm-protocol-http
      inspect
     class type inspect SDM-Voice-permit
      pass
     class class-default
      pass
    policy-map type inspect sdm-inspect-voip-in
     class type inspect SDM-Voice-permit
      pass
     class class-default
      drop
    policy-map type inspect sdm-permit
     class class-default
      drop
    !
    zone security out-zone
    zone security in-zone
    zone-pair security sdm-zp-self-out source self destination out-zone
     service-policy type inspect sdm-permit-icmpreply
    zone-pair security sdm-zp-out-self source out-zone destination self
     service-policy type inspect sdm-permit
    zone-pair security sdm-zp-in-out source in-zone destination out-zone
     service-policy type inspect sdm-inspect
    zone-pair security sdm-zp-out-in source out-zone destination in-zone
     service-policy type inspect sdm-inspect-voip-in
    !
    !
    !
    interface FastEthernet0
     switchport access vlan 75
    !
    interface FastEthernet1
     switchport access vlan 75
    !
    interface FastEthernet2
     switchport access vlan 75
    !
    interface FastEthernet3
     switchport access vlan 75
    !
    interface FastEthernet4
     description $FW_OUTSIDE$
     ip address dhcp
     ip nat outside
     ip virtual-reassembly
     zone-member security out-zone
     duplex auto
     speed auto
    !
    interface Vlan1
     no ip address
     shutdown
    !
    interface Vlan75
     description $FW_INSIDE$
     ip address 192.168.129.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     zone-member security in-zone
    !
    ip forward-protocol nd
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
    ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
    ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
    ip nat inside source static tcp 192.168.129.3 2022 interface FastEthernet4 2022
    ip nat inside source static udp 192.168.129.3 2022 interface FastEthernet4 2022
    !
    !
    !
    !
    !
    !
    control-plane
    !
    banner login ^CSR520 Base Config - MFG 1.0 ^C
    !
    line con 0
     password <not necessary>
     login
     no modem enable
    line aux 0
    line vty 0 4
     privilege level 15
     login local
     transport input telnet ssh
    !
    scheduler max-task-time 5000
    end
    Sorry for the long post, but any help would be greatly appreciated!

  • #2
    Re: Trouble with DHCP client on WAN Interface

    I ran into the same problem when I converted from the traditional access-list/access-group type configuration to policy based.

    Short answer: Based on posted configuration, I do not see permits for DHCP replies in the zone-pair "sdm-zp-out-self". The referenced policy-map/class-map for this zone-pair is denying (drop) everything. You could probably fix your problem by simply allowing DHCP replies in the sdm-zp-out-self policy.

    Long answer: In order to pass security audits using a policy based firewall configuration, I had to deal with each individual protocol on the SELF zones. A simple "inpsect" all protocols would not pass audit scans.

    For reference: I have copied relavent parts of my PBF configuration that deal with DHCP, but note the other referenced class maps on the SELF policy maps.

    Code:
     
    ip access-list extended acl.DHCP-2-SELF
     remark Define Hosts/netblocks permited DHCP access
     permit udp any any eq bootpc
     permit udp any any eq bootps
     remark   
    ip access-list extended acl.SELF-2-DHCP
     remark Define Hosts/netblocks permited DHCPaccess
     permit udp any any eq bootpc
     permit udp any any eq bootps
     remark   
     
    class-map type inspect match-any cmap.SELF-2-DHCP
     description Class-MAP definition for Router to DHCP
     match access-group name acl.SELF-2-DHCP
     
    class-map type inspect match-any cmap.DHCP-2-SELF
     description Class-MAP definition for DHCP to Router
     match access-group name acl.DHCP-2-SELF
     
    policy-map type inspect pmap.SELF-2-OUTSIDE
     description Policy-MAP definition for Router Interfaces to Outside Traffic
     class type inspect cmap.SELF-2-DHCP
      pass    
     class type inspect cmap.SELF-2-SNMP
      pass    
     class type inspect cmap.SELF-2-NTP
      pass    
     class type inspect cmap.SELF-2-SYSLOG
      pass    
     class type inspect cmap.SELF-2-RADIUS
      pass    
     class type inspect cmap.SELF-2-TACACS
      pass    
     class type inspect cmap.SELF-2-GRE
      pass    
     class type inspect cmap.SELF-2-IPSEC
      pass    
     class type inspect cmap.SELF-2-ICMP
      pass    
     class type inspect cmap.SELF-2-SSH
      pass    
     class type inspect cmap.SELF-2-TFTP
      pass    
     class class-default
      drop log
     
    policy-map type inspect pmap.OUTSIDE-2-SELF
     description Policy-MAP definition for Outside Traffic to Router
     class type inspect cmap.DHCP-2-SELF
      pass    
     class type inspect cmap.SNMP-2-SELF
      pass    
     class type inspect cmap.NTP-2-SELF
      pass    
     class type inspect cmap.SSH-2-SELF
      pass    
     class type inspect cmap.IPSEC-2-SELF
      pass    
     class type inspect cmap.ICMP-2-SELF
      pass    
     class type inspect cmap.TACACS-2-SELF
      pass    
     class type inspect cmap.RADIUS-2-SELF
      pass    
     class type inspect cmap.GRE-2-SELF
      pass    
     class type inspect cmap.TFTP-2-SELF
      pass    
     class type inspect cmap.ISNS-2-SELF
      drop    
     class class-default
      drop log
     
    zone-pair security SELF-2-OUTSIDE source self destination OUTSIDE
     description Zone Pair definition for Outside to Internet Traffic
     service-policy type inspect pmap.SELF-2-OUTSIDE
     
    zone-pair security OUTSIDE-2-SELF source OUTSIDE destination self
     description Zone Pair definition for Internet to Outside Traffic
     service-policy type inspect pmap.OUTSIDE-2-SELF

    Comment


    • #3
      Re: Trouble with DHCP client on WAN Interface

      Hi Scowles,

      Thanks so much for your reply this morning! And the reference, which definitely helped explain things better for me

      Just so I have everything sorted out in my head, you have ACLs tied to Class-Maps tied to Policy-Maps tied to Zone-Pairs, which are tied to Zones.. Is that right? If that's the case, I should either add a tie between the cmaps, pmaps and zpairs (that I added based on your initial post) to the zone my external interface is tied to, or change the zone associated with my external interface. Is that correct?

      Edit:
      Playing around, I changed the zone-member on my external interface and voila!! Works like a hot darn! I know that's probably not the best way to setup the zone-membership, but it does solve the problem.. now if you can tell me the best practice way, I'll set it up that way and should be good to go!

      Now, if I want to do any NAT translation (port forwarding for a public-facing service), I should go through this same process for that port, and then have the NAT translation (like I have currently in the config), right?
      Last edited by kalsto; 31st May 2011, 20:23.

      Comment

      Working...
      X