In many small offices and home offices (SOHO) installations, no server exists to provide DHCP services, and, yet, the feature could make adding new users and machines to the LAN much easier. Think about the user who uses their laptop at work in a DHCP environment, and then wants to take the laptop home. Continually configuring and un-configuring static IP addresses would be a pain.
Fortunately, devices like perimeter routers or firewall devices can easily provide DHCP server support in this type of scenario. Cisco’s Firewall with DHCP server strategy seems targeted at the PIX 506 and 506e platforms, but the feature is supported throughout the product line. Acting as a DHCP server, the PIX unit provides network configuration information (parameters) to DHCP clients in response to the clients‘ DHCP polling. These configuration parameters provide the DHCP clients with the networking parameters, such as default gateway, needed to access the network. Once on the network, services such as the DNS and WINS servers can be accessed to facilitate using web browsers or e-mail.
Connecting to a PIX Firewall supporting DHCP server features are PC clients and other network devices configured as DHCP clients. These connections can be nonsecure, not encrypted, for accessing the Internet or corporate resources. A growing market is creating secure, encrypted connections, using IPSec technology, to access corporate resources.
The following table lists the number of concurrent DHCP client connections supported by the PIX Firewall models by versions of the PIX Firewall OS. As with all product details, be sure to check the latest online documentation for maximum clients and the impact on memory requirements.
PIX OS Version |
PIX Firewall Platform |
Maximum DHCP Clients |
---|---|---|
v5.2 and earlier |
All platforms |
10 |
v5.3 to v6.0 |
PIX 506/506EAll other platforms |
32256 |
v6.1 and higher |
PIX 501 (10-user license)PIX 501 (50-user license)PIX 506/506EAll other platforms |
32128256256 |
To be considered an active connection for the purpose of comparing to the maximum DHCP clients, a host must have done any one of the following:
Passed traffic through the PIX device in the last 30 seconds
Established NAT/PAT through the PIX device
Established a TCP connection or a UDP session through the PIX device
Established user authentication through the PIX device
While new versions of the PIX OS might change this, two features aren’t supported by the current PIX Firewall DHCP server feature:
The PIX Firewall DHCP server doesn’t support BOOTP requests.
The PIX Firewall DHCP server doesn’t support failover configurations.
Note? |
It isn’t possible to get 256 clients from a class C network or from a class A or B network subnetted with a 24-bit mask. While the 24-bit mask creates 256 addresses, the first is the network, the last is the broadcast, and one must be configured on the PIX Firewall interface. This leaves 253 DHCP clients. |
Since version 5.2 of PIX Firewall OS, the DHCP server daemon can only be enabled on the inside interface and only supports clients directly connected to that interface, in the same network. This means IP Helper and other DHCP request-forwarding techniques won’t work with a PIX device working as a DHCP server. Because using any firewall as a DHCP server is a small network solution, this should be a serious limitation.
The PIX Firewall uses variations of the dhcpd command to implement the DHCP server features. The following are the most frequently used options. The no form of each command without the variable parameters will remove the command.
The dhcpd address command specifies the DHCP server address pool. This address pool must be within the same subnet as the PIX Firewall DHCP server interface. The size of the pool is limited to the maximum DHCP clients for that platform and license. The -ipadd2 option is used to define an address range, so interface names can’t use names with a “-” (dash). The default interface and only one supported since OS v5.1 is the inside interface. Use the no dhcpd address command to remove the DHCP address pool. The syntax is
pix(config)#dhcpd address ip_add1[-ipadd2] [if_name]
pix(config)#no dhcpd address
In the first of the following examples, the address pool is a single address. The second example creates a pool of ten addresses:
pix(config)#dhcpd address 192.168.1.2 pix(config)#dhcpd address 192.168.1.2-192.168.1.11
The dhcpd dns command specifies the IP address of one or two DNS servers for DHCP clients. The no dhcpd dns command removes the DNS IP address(es) from the configuration. The syntax is
pix(config)#dhcpd dns dns1 [dns2]
pix(config)#no dhcpd dns
The first of the following examples defines one DNS server. The second example defines two DNS servers.
pix(config)#dhcpd dns 192.168.100.5 pix(config)#dhcpd dns 192.168.100.5 192.168.101.5
The dhcpd wins command specifies the IP address of one or two WINS servers for DHCP clients. The no dhcpd wins command removes the WINS IP address(es) from the configuration. The syntax is
pix(config)#dhcpd wins wins1 [wins2]
pix(config)#no dhcpd wins
The first of the following examples defines one WINS server. The second example defines two WINS servers:
pix(config)#dhcpd wins 192.168.100.5 pix(config)#dhcpd wins 192.168.100.5 192.168.101.5
The dhcpd lease command specifies the length of the DHCP lease in seconds. This represents how long the DHCP client can use the IP address assigned by the DHCP granted. The no dhcpd lease command restores the lease length with the default value of 3,600 seconds. The syntax is
pix(config)#dhcpd lease seconds
pix(config)#no dhcpd lease
This example sets the lease time to 7,200 seconds (two hours).
pix(config)#dhcpd lease 7200
The dhcpd domain command defines the DNS domain name for the DHCP clients. The no dhcpd domain command removes the DNS domain server from your configuration. The syntax is
pix(config)#dhcpd domain dom_name
pix(config)#no dhcpd domain
This example sets the DNS domain name to cisco.com.
pix(config)#dhcpd domain cisco.com
The dhcpd enable command turns on DHCP services. This enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. While an interface name option exists, since version 5.1, the inside interface is both the default and the only interface supported. The no dhcpd enable command disables the DHCP server feature. The syntax is
pix(config)#dhcpd enable
pix(config)#no dhcpd enable
The dhcpd ping_timeout command allows a short delay to be configured, in milliseconds, before responding to a DHCP client request. This delay allows the PIX Firewall to work as a backup DHCL server. The no dhcpd ping_timeout command removes the delay. The syntax is
pix(config)#dhcpd ping_timeout timeout
pix(config)#no dhcpd ping_timeout
This example sets the DHCP ping_timeout to 750 milliseconds.
pix(config)#dhcpd ping_timeout 750
A growing number of organizations with small branch offices are implementing a Cisco IP Telephony VoIP (Voice over IP) solution. A common implementation is to install the Cisco CallManager at the central office and use it to control IP Phones at the small branch offices. The benefits to this implementation include the following:
Centralizes call processing
Reduces the equipment required
Eliminates the administration of additional Cisco CallManager servers
Eliminates other servers at branch offices
Part of the simplicity of the Cisco IP Telephony solution is that the phones can download their configuration from a TFTP server. To eliminate the need to preconfigure the Cisco IP Phone with the phone IP address and the IP address of the TFTP server, the phone sends out a DHCP request with the option parameter set to 150 or 66 to a DHCP server.
PIX Firewall version 6.2 introduced the two new options for the dhcpd command specifically to support VoIP installations. Use the no form of the command to remove the configuration entry. The syntax is
pix(config)#dhcpd option 66 ascii {server_name | server_ip_str}
pix(config)#no dhcpd option 66
pix(config)#dhcpd option 150 ip server_ip1 [server_ip2]
pix(config)#no dhcpd option 150
server_name |
TFTP server host name (only one) |
server_ip_str |
TFTP server host IP address (only one) |
server_ip1 |
IP address of the primary TFTP server |
server_ip2 |
IP address of the secondary TFTP server (maximum of two TFTP servers) |
Cisco IP Phones can include both option 150 and 66 requests in a single DHCP request. In this case, the PIX Firewall DHCP server assigns values for both options in the response if they’re configured on the PIX Firewall.
The current versions of PIX Firewall DHCP server (v6.2) can only be enabled on the inside interface and, therefore, can only respond to DHCP option 150 and 66 requests from Cisco IP Phones or from other network devices on the internal network. If any outside clients need to connect to the inside TFTP server, then a group of static and access list statements must be created for the TFTP server, instead of using the dhcpd option command.
This partial configuration demonstrates configuring the firewall with DHCP support for the dhcpd option 66 and option 150 features. Note, the server IP addresses are on the same network as the inside interface and outside the range of available IP addresses assigned to the DHCP server.
pix(config)#ip address inside 192.168.1.1 255.255.255.0 pix(config)#dhcpd address 192.168.1.6-192.168.1.254 pix(config)#dhcpd dns 192.168.100.5 192.168.101.5 pix(config)#dhcpd wins 192.168.100.5 pix(config)#dhcpd domain test.com pix(config)#dhcpd option 66 ascii 192.168.1.5 pix(config)#dhcpd option 150 192.168.1.4 192.168.1.5 pix(config)#dhcpd enable
In addition to performing a write terminal command to see the configuration, the PIX Firewall offers the following commands:
show dhcpd [binding|statistics] |
Displays the configured dhcpd commands, and binding and statistics information associated with those commands |
clear dhcpd [binding|statistics] |
Clears all the dhcpd commands, binding, and statistics |
debug dhcpd event |
Displays event information about the DHCP server |
debug dhcpd packet |
Displays packet information about the DHCP server |
This partial configuration demonstrates configuring the DHCP features for a SOHO implementation.
pix(config)#ip address inside 192.168.1.1 255.255.255.0 pix(config)#dhcpd address 192.168.1.2-192.168.1.254 pix(config)#dhcpd dns 192.168.100.5 192.168.101.5 pix(config)#dhcpd wins 192.168.100.5 pix(config)#dhcpd lease 7200 pix(config)#dhcpd ping_timeout 750 pix(config)#dhcpd domain test.com pix(config)#dhcpd enable
This next example is sample output from the show dhcpd command:
pix(config)#show dhcpd dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd domain test.com dhcpd lease 7200 dhcpd ping_timeout 750 dhcpd dhcpd dns 192.168.100.5 192.168.101.5 dhcpd wins 192.168.100.5 dhcpd enable inside
This next example is sample output from the show dhcpd binding command:
pix(config)#show dhcpd binding IP Address Hardware Address Lease Expiration Type 192.168.1.100 0100.a0c9.868e.43 84985 seconds automatic
The following is sample output from the show dhcpd statistics command:
pix(config)#show dhcpd statistics Address Pools 1 Automatic Bindings 1 Expired Bindings 1 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 2 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 1
Corporate networks tend to use static IP addresses for all key network devices—such as firewalls, routers, switches, and servers—so those IP addresses can be configured as default gateways, used in ACLs, and so forth. But a telecommuter or small office could be using a cable or a DSL service that requires the client to receive their IP address and related information from a DHCP server on the provider’s network. In the case of a firewall, this would be the outside interface.
The PIX Firewall ip address dhcp command enables the DHCP client feature. Once the?DHCP client feature is enabled, the PIX Firewall can accept configuration parameters from a DHCP server. The only configuration parameters the firewall requires are an IP address and a subnet mask for the DHCP client interface, the outside interface. To reset the interface and delete the DHCP lease from the PIX Firewall, configure a static IP address for the interface or use the clear ip command to clear all PIX Firewall IP addresses. The syntax is
pix(config)#ip address outside dhcp [setroute] [retry retry_cnt]pix(config)#clear ip
dhcp |
Enables the DHCP client features, which then polls for informaton on the defined interface. |
Setroute |
Tells the PIX to create a default route using the default gateway parameter supplied by the DHCP server. |
Retry |
Enables PIX to retry a poll for DHCP information. |
retry_cnt |
The number of times PIX will poll for DHCP information. (4 to16). The default is 4. |
If the optional setroute option is configured, the show route command output will show that the default route was set by a DHCP server.
The show ip address if_name dhcp command displays the DHCP lease details. The following is a sample of what the output might look like:
Pix#show ip address outside dhcp Temp IP Addr:172.16.1.61 for peer on interface:outside Temp sub net mask:255.255.255.252 DHCP Lease server:172.16.4.5, state:3 Bound DHCP Transaction id:0x4123 Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs Temp default-gateway addr:172.16.1.62 Next timer fires after:91347 secs Retry count:0, Client-ID:cisco-0000.0000.0000-outside ip address outside dhcp retry 10
Note? |
The PIX Firewall DHCP client doesn’t support failover configurations. |
The IP address assigned to the outside interface by the DHCP server can be used as the PAT global address. This means all outbound NAT translations will use the assigned IP address of the outside interface, combined with a unique port number. By using the outside interface, it’s unnecessary for the ISP to create a static IP address to the global address pool.
Use the global command with the interface keyword to enable PAT to use the DHCP-acquired IP address of the outside interface. The syntax is
pix(config)#global (outside) nat-id interface
In the following example, the first line enables the DHCP client on the outside interface, uses the acquired gateway address as the default route, and allows ten polling attempts to collect the DHCP information. The second line allows all inside addresses to go out of the network using NAT pool #1. The last line enables PAT using the IP address at the outside interface.
pix(config)#ip address outside dhcp setroute retry 10 pix(config)#nat (inside) 1 0 0 pix(config)#global (outside) 1 interface
In this SOHO scenario, it’s likely that the perimeter firewall would be a DHCP client on the outside interface, using PAT to allow internal users to travel out through the router to either the Internet or a corporate network. At the same time, it’s entirely possible that the firewall could be providing IP addresses to users on the inside of the network if no resident server exists to provide the feature.
This is, in fact, what happens with virtually all the small perimeter routers manufactured by many vendors, which people are inserting between their home computer systems and their cable or DSL connection. It could be argued that, with a single LAN, the perimeter router is acting only as a firewall and DHCP server/client because no actual routing is occurring. Because most of these small routers rely on another device, such as a cable modem, to prove a LAN (Ethernet) connection to the outside interface, there’s every reason to think a true firewall device could be substituted and provide greater protection.
Use the dhcpd auto_config command to enable PIX Firewall to automatically assign DNS, WINS, and domain name values learned by the DHCP client (outside) to the DHCP server (inside). Any of these auto_config parameters can be overridden by configuring specific dns, wins, and domain parameters.
pix(config)#dhcpd auto_config [client_intf_name]pix(config)#no dhcpd auto_config
client_intf_name |
Currently, this optional argument is irrelevant because the PIX OS only supports the outside interface. If later OS versions support additional interfaces, this argument will specify the interface. |
This partial configuration shows an example of how to configure the auto_config command to assign the DNS, WINS, and DOMAIN parameters learned from the DHCP client interface (outside). Note that the netmask of the inside interface is 255.255.254.0.
pix(config)#ip address outside dhcp setroute retry 10 pix(config)#ip address inside 192.168.1.1 255.255.255.0 pix(config)#dhcpd address 192.168.1.2-192.168.1.254 pix(config)#dhcpd auto_config pix(config)#dhcpd enable