https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968159#M437217 <HTML><HEAD></HEAD><BODY><P>thanks. Ive already done the shutdown. Ill check the link (if helpfull, ill rate..)</P><P></P><P>I am looking to ensure that if they take the phone out, they will get nowhere. </P><P></P><P></P><P>thanks.</P><P></P></BODY></HTML> Sun, 18 May 2008 22:34:32 GMT don.click1 2008-05-18T22:34:32Z https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968157#M437213 <P>Hey guys - i have a couple of questions that I hope are quick to answer. </P><P></P><P>I have a need to provide users with a IP phone at home (extended leave, part timers, etc). The current plan is to provide them an ASA5505 that is configured to create the VPN tunnel over the internet (connects to a ASA5520). We also want to lock down the all the ports execpt e0/0 (outside interface) and e0/7 (the poe enabled phone port). I am tring to configure 5505 so that only the phone will get an ip, AND if they remove the phone, and plug in a desktop/laptop/etc, it wont work (ie - no ip address supplied, ports blocked, etc.). The users will need to use thier existing VPN on thier laptop to get network, we are just trying to supply them a "off site extension" of thier phoens.</P><P></P><P>So - Question 1 - Can I have the dhcp scope on the asa5505 defined to do a MAC based assignment? </P><P></P><P>Question 2 - If we cant lock down the scope by mac address, what ports, other than http and skinny (no sip phones here) would/should I block?</P><P> </P><P>If anyone has any other suggstions, im all ears.. </P><P></P><P>Thanks in advance!</P> Fri, 21 Feb 2020 10:01:33 GMT https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968157#M437213 don.click1 2020-02-21T10:01:33Z https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968158#M437215 <HTML><HEAD></HEAD><BODY><P>Place a "shutdown" on interfaces e0/1 to e0/6</P><P></P><P>For control of devices by MAC access, see "mac-list" command at the following URL:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1888833" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1888833</A></P></BODY></HTML> Sun, 18 May 2008 22:30:44 GMT https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968158#M437215 samuellthomasjr 2008-05-18T22:30:44Z https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968159#M437217 <HTML><HEAD></HEAD><BODY><P>thanks. Ive already done the shutdown. Ill check the link (if helpfull, ill rate..)</P><P></P><P>I am looking to ensure that if they take the phone out, they will get nowhere. </P><P></P><P></P><P>thanks.</P><P></P></BODY></HTML> Sun, 18 May 2008 22:34:32 GMT https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968159#M437217 don.click1 2008-05-18T22:34:32Z https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968160#M437218 <HTML><HEAD></HEAD><BODY><P>I have read up on the mac-list, and it seems that would work. My question now - how do I apply that to only 1 interface? Seems to me that, since its a global command, it will restrict on all ports, right?</P><P></P><P>I need e0/0 to be unrestricted, as I have NO idea what the mac address will be of the "dirty" side, but at the same time, e0/7 should be restricted to only the phone that I supply. </P><P></P><P>Thanks again for the link</P></BODY></HTML> Tue, 20 May 2008 16:43:41 GMT https://community.cisco.com/t5/network-security/asa5505-lockdown/m-p/968160#M437218 don.click1 2008-05-20T16:43:41Z