Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
0
Helpful
2
Replies

Dhcp configuration on cisco 1841 connected to modem?

Go to solution
crazyman143
Level 1
Level 1

‎03-06-2015 06:03 PM - edited ‎03-07-2019 10:59 PM

Hello,

First time posting so forgive me and redirect me if I'm posting in the wrong area. I'm a student studying for cisco ccna and am also doing some setup on my home network with cisco 1841 router.

 

trying to configure it now to get a dhcp address in fa0/0 from my cable modem. Problem I'm having is that my acl is blocking the request. I have stateful firewall turned on  inbound on fa0/0. Hoping someone can help me understand a secure way to get a dhcp ip address from the modem? Similarly to how a typical home router does. As you can see the 'Firewall' ACL blocks all packets not allowed via the packet inspection, and fa0/0 is default gateway out. 

 

sample config:

 

 

!

!

ip inspect name Firewall-SPI tcp

ip inspect name Firewall-SPI udp

ip inspect name Firewall-SPI icmp

spanning-tree mode pvst

!

!

interface FastEthernet0/0

ip address dhcp

ip access-group Firewall in

ip nat outside

ip inspect Firewall-SPI out

!

!

ip nat inside source list NATCHECK interface FastEthernet0/0 overload

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

ip access-list standard NATCHECK

permit any

!

 

ip access-list extended Firewall

deny ip any any

!

 

 

suggestions appreciated, thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-06-2015 06:23 PM

Try modifying your Firewall acl -

ip access-list extended Firewall
permit udp any eq bootps any eq bootpc
deny ip any any

also your NAT acl probably won't work because you are using "any" as the source subnet and NAT often doesn't like this.

By all means use a standard acl, I usually just use an extended acl but up to you eg  if your inside LAN was 192.168.10.0/24 then -

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

Finally you may want to try using -

ip route 0.0.0.0 0.0.0.0 dhcp

and see if that works. The issue with using an interface is your router has to arp out for every internet address because it thinks every IP is in effect local.

Edit - forgot to say, yes, you chose the right place to post and welcome to the forums :-)

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-06-2015 06:23 PM

Try modifying your Firewall acl -

ip access-list extended Firewall
permit udp any eq bootps any eq bootpc
deny ip any any

also your NAT acl probably won't work because you are using "any" as the source subnet and NAT often doesn't like this.

By all means use a standard acl, I usually just use an extended acl but up to you eg  if your inside LAN was 192.168.10.0/24 then -

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 101 interface fa0/0 overload

Finally you may want to try using -

ip route 0.0.0.0 0.0.0.0 dhcp

and see if that works. The issue with using an interface is your router has to arp out for every internet address because it thinks every IP is in effect local.

Edit - forgot to say, yes, you chose the right place to post and welcome to the forums :-)

Jon

0 Helpful

Go to solution
crazyman143
Level 1
Level 1
In response to Jon Marshall

‎03-12-2015 03:48 PM

thank you :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card