ACL DHCP config question

[dvtestguy]

Setting up a lab environemnt, and have a need for PC's to be able to get a DHCP address 10.115.28.26-39

I setup ACLs on the cisco switch, and somehow lost the DHCP ability. Any ideas?

10.115.28.1 is my 7204 as my GW out to the internet.

access-list 102 permit tcp host 10.15.12.240 host 10.115.28.20 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.26 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.26 0.0.0.0 eq 443
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.27 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.27 0.0.0.0 eq 443
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.28 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.28 0.0.0.0 eq 443
access-list 102 permit udp 10.115.28.0 0.255.255.255 eq bootpc any
access-list 102 permit tcp any 10.115.28.0 0.255.255.255 established
access-list 102 deny ip any any
access-list 103 permit udp host 10.10.1.10 eq ntp any
access-list 103 permit icmp 10.115.28.0 0.255.255.255 any
access-list 103 permit tcp 10.115.28.20 0.0.255.255 10.15.12.240 0.0.0.0 eq 81
access-list 103 permit tcp any 10.115.28.0 0.255.255.255 established
access-list 103 deny ip any any

 

[Supergrrover]

For DHCP - requests are on UDP port 68 and replies on UDP port 67. Try adding the replies back through.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dvtestguy]

supergrrover,

would i then still need "access-list 102 permit udp 10.115.28.0 0.255.255.255 eq bootpc any"?

if so, would i need to add the following below? what host?

access-list 102 permit udp host 10.115.28.1 host a.b.c.d eq 67

access-list 102 permit udp host 10.115.28.1 host a.b.c.d eq 68

 

[Supergrrover]

Yep,
bootpc is cisco's keyword for port 68. Just add the return trip for the DHCP replies.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dvtestguy]

Thanks for the info...got DHCP working. I have another question regarding my setup.

1. Proxy's A, B and C should not be able to ping/communicate from Proxy to Proxy.

2. All Pc's should be able to Ping, Traceroute to other PC's in/out of the Firewall.

3. Where do I control the DHCP Address range? On the 7204 where the ACL's rside, or the 7513 where the NAT takes place?

Network scenario below.

PC (DHCP or Static) 10.115.28.26 - 10.115.28.36
/
Proxy C 10.115.28.20
/
C7204 F0/0 10.115.28.1
/
C7513 Private NAT 10.115.x.x/Public 10.15.12.x
/
Cloud
/
Proxy A 10.15.12.248
Proxy B 10.15.12.244



access-list 102 permit tcp host 10.15.12.240 host 10.115.28.20 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.26 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.26 0.0.0.0 eq 443
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.27 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.27 0.0.0.0 eq 443
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.28 0.0.0.0 eq 80
access-list 102 permit tcp 10.15.0.0 0.0.255.255 10.115.28.28 0.0.0.0 eq 443
access-list 102 permit icmp 10.115.28.0 0.255.255.255 any
access-list 102 permit tcp any 10.115.28.0 0.255.255.255 established
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 deny ip any any
access-list 103 permit udp host 10.10.1.10 eq ntp any
access-list 103 permit icmp 10.115.28.0 0.255.255.255 any
access-list 103 permit tcp 10.115.28.20 0.0.255.255 10.15.12.240 0.0.0.0 eq 81
access-list 103 permit tcp any 10.115.28.0 0.255.255.255 established
access-list 103 deny ip any any

Thanks again