1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

DHCP Server Configuration

DHCP Server Configuration

In many small offices and home offices (SOHO) installations, no server exists to provide DHCP services, and, yet, the feature could make adding new users and machines to the LAN much easier. Think about the user who uses their laptop at work in a DHCP environment, and then wants to take the laptop home. Continually configuring and un-configuring static IP addresses would be a pain.

Fortunately, devices like perimeter routers or firewall devices can easily provide DHCP server support in this type of scenario. Cisco’s Firewall with DHCP server strategy seems targeted at the PIX 506 and 506e platforms, but the feature is supported throughout the product line. Acting as a DHCP server, the PIX unit provides network configuration information (parameters) to DHCP clients in response to the clients‘ DHCP polling. These configuration parameters provide the DHCP clients with the networking parameters, such as default gateway, needed to access the network. Once on the network, services such as the DNS and WINS servers can be accessed to facilitate using web browsers or e-mail.

Connecting to a PIX Firewall supporting DHCP server features are PC clients and other network devices configured as DHCP clients. These connections can be nonsecure, not encrypted, for accessing the Internet or corporate resources. A growing market is creating secure, encrypted connections, using IPSec technology, to access corporate resources.

The following table lists the number of concurrent DHCP client connections supported by the PIX Firewall models by versions of the PIX Firewall OS. As with all product details, be sure to check the latest online documentation for maximum clients and the impact on memory requirements.

PIX OS Version

PIX Firewall Platform

Maximum DHCP Clients

v5.2 and earlier

All platforms

10

v5.3 to v6.0

PIX 506/506EAll other platforms

 32256

v6.1 and higher

PIX 501 (10-user license)PIX 501 (50-user license)PIX 506/506EAll other platforms

 32128256256

To be considered an active connection for the purpose of comparing to the maximum DHCP clients, a host must have done any one of the following:

  • Passed traffic through the PIX device in the last 30 seconds

  • Established NAT/PAT through the PIX device

  • Established a TCP connection or a UDP session through the PIX device

  • Established user authentication through the PIX device

While new versions of the PIX OS might change this, two features aren’t supported by the current PIX Firewall DHCP server feature:

  • The PIX Firewall DHCP server doesn’t support BOOTP requests.

  • The PIX Firewall DHCP server doesn’t support failover configurations.

    Note?

    It isn’t possible to get 256 clients from a class C network or from a class A or B network subnetted with a 24-bit mask. While the 24-bit mask creates 256 addresses, the first is the network, the last is the broadcast, and one must be configured on the PIX Firewall interface. This leaves 253 DHCP clients.

Configuring the DHCP Server Feature

Since version 5.2 of PIX Firewall OS, the DHCP server daemon can only be enabled on the inside interface and only supports clients directly connected to that interface, in the same network. This means IP Helper and other DHCP request-forwarding techniques won’t work with a PIX device working as a DHCP server. Because using any firewall as a DHCP server is a small network solution, this should be a serious limitation.

The PIX Firewall uses variations of the dhcpd command to implement the DHCP server features. The following are the most frequently used options. The no form of each command without the variable parameters will remove the command.

The dhcpd address Command

The dhcpd address command specifies the DHCP server address pool. This address pool must be within the same subnet as the PIX Firewall DHCP server interface. The size of the pool is limited to the maximum DHCP clients for that platform and license. The -ipadd2 option is used to define an address range, so interface names can’t use names with a “-” (dash). The default interface and only one supported since OS v5.1 is the inside interface. Use the no dhcpd address command to remove the DHCP address pool. The syntax is

pix(config)#dhcpd address ip_add1[-ipadd2] [if_name]
pix(config)#no dhcpd address

In the first of the following examples, the address pool is a single address. The second example creates a pool of ten addresses:

pix(config)#dhcpd address 192.168.1.2
pix(config)#dhcpd address 192.168.1.2-192.168.1.11

The dhcpd dns Command

The dhcpd dns command specifies the IP address of one or two DNS servers for DHCP clients. The no dhcpd dns command removes the DNS IP address(es) from the configuration. The syntax is

pix(config)#dhcpd dns dns1 [dns2]
pix(config)#no dhcpd dns

The first of the following examples defines one DNS server. The second example defines two DNS servers.

pix(config)#dhcpd dns 192.168.100.5
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5

The dhcpd wins Command

The dhcpd wins command specifies the IP address of one or two WINS servers for DHCP clients. The no dhcpd wins command removes the WINS IP address(es) from the configuration. The syntax is

pix(config)#dhcpd wins wins1 [wins2]
pix(config)#no dhcpd wins

The first of the following examples defines one WINS server. The second example defines two WINS servers:

pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd wins 192.168.100.5 192.168.101.5

The dhcpd lease Command

The dhcpd lease command specifies the length of the DHCP lease in seconds. This represents how long the DHCP client can use the IP address assigned by the DHCP granted. The no dhcpd lease command restores the lease length with the default value of 3,600 seconds. The syntax is

pix(config)#dhcpd lease seconds
pix(config)#no dhcpd lease

This example sets the lease time to 7,200 seconds (two hours).

pix(config)#dhcpd lease 7200

The dhcpd domain Command

The dhcpd domain command defines the DNS domain name for the DHCP clients. The no dhcpd domain command removes the DNS domain server from your configuration. The syntax is

pix(config)#dhcpd domain dom_name
pix(config)#no dhcpd domain

This example sets the DNS domain name to cisco.com.

pix(config)#dhcpd domain cisco.com

The dhcpd enable Command

The dhcpd enable command turns on DHCP services. This enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. While an interface name option exists, since version 5.1, the inside interface is both the default and the only interface supported. The no dhcpd enable command disables the DHCP server feature. The syntax is

pix(config)#dhcpd enable
pix(config)#no dhcpd enable

The dhcpd ping_timeout Command

The dhcpd ping_timeout command allows a short delay to be configured, in milliseconds, before responding to a DHCP client request. This delay allows the PIX Firewall to work as a backup DHCL server. The no dhcpd ping_timeout command removes the delay. The syntax is

pix(config)#dhcpd ping_timeout timeout
pix(config)#no dhcpd ping_timeout

This example sets the DHCP ping_timeout to 750 milliseconds.

pix(config)#dhcpd ping_timeout 750

Using Cisco IP Phones with a DHCP Server

A growing number of organizations with small branch offices are implementing a Cisco IP Telephony VoIP (Voice over IP) solution. A common implementation is to install the Cisco CallManager at the central office and use it to control IP Phones at the small branch offices. The benefits to this implementation include the following:

  • Centralizes call processing

  • Reduces the equipment required

  • Eliminates the administration of additional Cisco CallManager servers

  • Eliminates other servers at branch offices

Part of the simplicity of the Cisco IP Telephony solution is that the phones can download their configuration from a TFTP server. To eliminate the need to preconfigure the Cisco IP Phone with the phone IP address and the IP address of the TFTP server, the phone sends out a DHCP request with the option parameter set to 150 or 66 to a DHCP server.

PIX Firewall version 6.2 introduced the two new options for the dhcpd command specifically to support VoIP installations. Use the no form of the command to remove the configuration entry. The syntax is

pix(config)#dhcpd option 66 ascii {server_name | server_ip_str}
pix(config)#no dhcpd option 66
pix(config)#dhcpd option 150 ip server_ip1 [server_ip2]
pix(config)#no dhcpd option 150

server_name

TFTP server host name (only one)

server_ip_str

TFTP server host IP address (only one)

server_ip1

IP address of the primary TFTP server

server_ip2

IP address of the secondary TFTP server (maximum of two TFTP servers)

Cisco IP Phones can include both option 150 and 66 requests in a single DHCP request. In this case, the PIX Firewall DHCP server assigns values for both options in the response if they’re configured on the PIX Firewall.

The current versions of PIX Firewall DHCP server (v6.2) can only be enabled on the inside interface and, therefore, can only respond to DHCP option 150 and 66 requests from Cisco IP Phones or from other network devices on the internal network. If any outside clients need to connect to the inside TFTP server, then a group of static and access list statements must be created for the TFTP server, instead of using the dhcpd option command.

This partial configuration demonstrates configuring the firewall with DHCP support for the dhcpd option 66 and option 150 features. Note, the server IP addresses are on the same network as the inside interface and outside the range of available IP addresses assigned to the DHCP server.

pix(config)#ip address inside 192.168.1.1 255.255.255.0
pix(config)#dhcpd address 192.168.1.6-192.168.1.254
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5
pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd domain test.com
pix(config)#dhcpd option 66 ascii 192.168.1.5
pix(config)#dhcpd option 150 192.168.1.4 192.168.1.5
pix(config)#dhcpd enable

Verifying and Monitoring DHCP Configuration

In addition to performing a write terminal command to see the configuration, the PIX Firewall offers the following commands:

show dhcpd [binding|statistics]

Displays the configured dhcpd commands, and binding and statistics information associated with those commands

clear dhcpd [binding|statistics]

Clears all the dhcpd commands, binding, and statistics

debug dhcpd event

Displays event information about the DHCP server

debug dhcpd packet

Displays packet information about the DHCP server

This partial configuration demonstrates configuring the DHCP features for a SOHO implementation.

pix(config)#ip address inside 192.168.1.1 255.255.255.0
pix(config)#dhcpd address 192.168.1.2-192.168.1.254
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5
pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd lease 7200
pix(config)#dhcpd ping_timeout 750
pix(config)#dhcpd domain test.com
pix(config)#dhcpd enable

This next example is sample output from the show dhcpd command:

pix(config)#show dhcpd
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd domain test.com
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd dhcpd dns 192.168.100.5 192.168.101.5
dhcpd wins 192.168.100.5
dhcpd enable inside

This next example is sample output from the show dhcpd binding command:

pix(config)#show dhcpd binding
IP Address Hardware Address Lease Expiration Type
192.168.1.100 0100.a0c9.868e.43 84985 seconds automatic

The following is sample output from the show dhcpd statistics command: 

pix(config)#show dhcpd statistics
Address Pools 1
Automatic Bindings 1
Expired Bindings 1
Malformed messages 0
 
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
 
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 1

DHCP Client

Corporate networks tend to use static IP addresses for all key network devices—such as firewalls, routers, switches, and servers—so those IP addresses can be configured as default gateways, used in ACLs, and so forth. But a telecommuter or small office could be using a cable or a DSL service that requires the client to receive their IP address and related information from a DHCP server on the provider’s network. In the case of a firewall, this would be the outside interface.

The PIX Firewall ip address dhcp command enables the DHCP client feature. Once the?DHCP client feature is enabled, the PIX Firewall can accept configuration parameters from a DHCP server. The only configuration parameters the firewall requires are an IP address and a subnet mask for the DHCP client interface, the outside interface. To reset the interface and delete the DHCP lease from the PIX Firewall, configure a static IP address for the interface or use the clear ip command to clear all PIX Firewall IP addresses. The syntax is

pix(config)#ip address outside dhcp [setroute] [retry retry_cnt]pix(config)#clear ip

dhcp

Enables the DHCP client features, which then polls for informaton on the defined interface.

Setroute

Tells the PIX to create a default route using the default gateway parameter supplied by the DHCP server.

Retry

Enables PIX to retry a poll for DHCP information.

retry_cnt

The number of times PIX will poll for DHCP information. (4 to16). The default is 4.

If the optional setroute option is configured, the show route command output will show that the default route was set by a DHCP server.

The show ip address if_name dhcp Command

The show ip address if_name dhcp command displays the DHCP lease details. The following is a sample of what the output might look like:

Pix#show ip address outside dhcp
Temp IP Addr:172.16.1.61 for peer on interface:outside
Temp sub net mask:255.255.255.252
DHCP Lease server:172.16.4.5, state:3 Bound
DHCP Transaction id:0x4123
Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs
Temp default-gateway addr:172.16.1.62
Next timer fires after:91347 secs
Retry count:0, Client-ID:cisco-0000.0000.0000-outside
ip address outside dhcp retry 10
Note?

The PIX Firewall DHCP client doesn’t support failover configurations.

Using NAT/PAT with DHCP Client

The IP address assigned to the outside interface by the DHCP server can be used as the PAT global address. This means all outbound NAT translations will use the assigned IP address of the outside interface, combined with a unique port number. By using the outside interface, it’s unnecessary for the ISP to create a static IP address to the global address pool.

Use the global command with the interface keyword to enable PAT to use the DHCP-acquired IP address of the outside interface. The syntax is

pix(config)#global (outside) nat-id interface

In the following example, the first line enables the DHCP client on the outside interface, uses the acquired gateway address as the default route, and allows ten polling attempts to collect the DHCP information. The second line allows all inside addresses to go out of the network using NAT pool #1. The last line enables PAT using the IP address at the outside interface.

pix(config)#ip address outside dhcp setroute retry 10
pix(config)#nat (inside) 1 0 0
pix(config)#global (outside) 1 interface

Firewalls as a DHCP Client and Server

In this SOHO scenario, it’s likely that the perimeter firewall would be a DHCP client on the outside interface, using PAT to allow internal users to travel out through the router to either the Internet or a corporate network. At the same time, it’s entirely possible that the firewall could be providing IP addresses to users on the inside of the network if no resident server exists to provide the feature.

This is, in fact, what happens with virtually all the small perimeter routers manufactured by many vendors, which people are inserting between their home computer systems and their cable or DSL connection. It could be argued that, with a single LAN, the perimeter router is acting only as a firewall and DHCP server/client because no actual routing is occurring. Because most of these small routers rely on another device, such as a cable modem, to prove a LAN (Ethernet) connection to the outside interface, there’s every reason to think a true firewall device could be substituted and provide greater protection.

The dhcpd auto_config Command

Use the dhcpd auto_config command to enable PIX Firewall to automatically assign DNS, WINS, and domain name values learned by the DHCP client (outside) to the DHCP server (inside). Any of these auto_config parameters can be overridden by configuring specific dns, wins, and domain parameters.

pix(config)#dhcpd auto_config [client_intf_name]pix(config)#no dhcpd auto_config

client_intf_name

Currently, this optional argument is irrelevant because the PIX OS only supports the outside interface. If later OS versions support additional interfaces, this argument will specify the interface.

This partial configuration shows an example of how to configure the auto_config command to assign the DNS, WINS, and DOMAIN parameters learned from the DHCP client interface (outside). Note that the netmask of the inside interface is 255.255.254.0.

pix(config)#ip address outside dhcp setroute retry 10
pix(config)#ip address inside 192.168.1.1 255.255.255.0
pix(config)#dhcpd address 192.168.1.2-192.168.1.254
pix(config)#dhcpd auto_config
pix(config)#dhcpd enable



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Chapter 17: CiscoSecure PIX Firewalls
Chapter 18: Getting Started with the Cisco PIX Firewall
Basic PIX Firewall Configuration
ICMP Traffic to the Firewall
Time Setting and NTP Support
Syslog Configuration
DHCP Server Configuration
Chapter Review
Chapter 19: Access Through the PIX Firewall
Chapter 20: Advanced PIX Firewall Features
Chapter 21: Firewalls and VPN Features
Chapter 22: Managing and Maintaining the PIX Firewall
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars