DHCP Traffic through Transparent ASA

Transparent firewall only allows broadcast traffic of ARP to pass through. All other broadcast traffic will blocked. Which means DHCP traffic will not flow through. Here are the essential ACLs which are needed to allow DHCP traffic through Transparent mode of Cisco ASA.

ZONE-1 and ZONE-2 are in same security level & the traffic between same security levels are enabled.

To understand what really happened at the back end of DHCP protocol please go here. This post explains it with Wireshark captures.

According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255 & destination port is udp 67 (bootps). So this requires an ACL on ZONE-2 interface.

Also the Offer & Ack packets have the source IP of the DHCP server and the destination can be any, & destination port is udp 68 (bootpc). This also requires an ACL on ZONE-1 interface.

Deep into DHCP Protocol

Let's analyze DHCP packets using Wireshark and see what's really going inside the wire..

You can see the DORA (Discover, Offer, Request, Acknowledgement) packets going through.

Discover

This packet is sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255
Source MAC address is the client's MAC address and the destination MAC address is FF:FF:FF:FF:FF:FF
Source Port is udp 68 (bootpc) & destination port is udp 67 (bootps)

Offer

This packet is sent by the server as a unicast with a source IP address of the DHCP server and the destination IP address of the client which the server is going to offer in the future.
Source MAC address is the DHCP server's MAC address and the destination MAC address is the client's MAC address
Source Port is udp 67 (bootps) & destination port is udp 68 (bootpc)

If you analyze further in Bootstrap information, it shows the IP address to be given which is equal to the destination IP address of the packet.

Request

This packet's source & destination IPs, MACs & port numbers are same as the Discover packet. But in the Bootstrap information it shows the requested IP. In this case it is same as the offered IP.

Acknowledgement

This packet's source & destination IPs, MACs & port numbers are same as the Offer packet which confirms the lease.

Note:- 

When the client is down and come up again within the lease time, the client sends only the Request and the DHCP server sends only the Ack.

Cyber Security Project for ICS SCADA Systems at Muscat, Oman

More experiences with Cisco Next Generation Firewalls, Firepower products including FMC, FTD, IDSes IPSes. Project was to secure MEDC (Muscat Electricity Distribution Company) monitoring system implemented by PSI, Malaysia.