Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
5
Replies

Pix 501 & DHCP

duchesne_ced
Level 1
Level 1

‎02-16-2005 08:32 AM - edited ‎02-20-2020 11:58 PM

Hi,

I've got a small Pix 501 configured with a DHCP server for the inside interface. The Pix allocates an IP and store the associated MAC address.

Let's assume PcA gets the IP 172.16.1.2 with DHCP. If i remove PcA and connect the PcB with the static IP 172.16.1.2, i will have a full access. Is there a way to prevent this and dynamically only allow Ip/Mac served by the DHCP so that when PcB arrives, it will never have access.

regards

Cedric

0 Helpful
5 Replies 5

vitaliy.pindyura
Level 1
Level 1

‎02-16-2005 05:19 PM

It would be easier to answer your question if you mentioned what are you trying to achieve... Anyway, if you have DHCP server on your PIX-501 you don't even have to configure any IP for PcB -- when PcB arrives it will get the next available IP from your dhcp pool and will have full access, wouldn't it?

Take a look at "arp" command. You can set up a static IP-to-MAC address mapping for hosts on your network:

arp inside 172.16.1.2 aaaa.bbbb.cccc

where aaaa.bbbb.cccc is a MAC address of PcA

0 Helpful

thisisshanky
Level 11
Level 11
In response to vitaliy.pindyura

‎02-16-2005 09:07 PM

True, probably you want to put a Cisco switch between PIX inside interface ( I know 501 has 4 port switch)..and enable DHCP snooping feature. This will prevent any kind of activity on your network that you just described. Cant spoof or configure an ip statically to pretend a valid PC that acquired an ip address via DHCP lease.

Also I am not sure if PIX supports mac-address reservation at this moment..

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

duchesne_ced
Level 1
Level 1
In response to vitaliy.pindyura

‎02-17-2005 02:09 AM

My structure is of course much more complicated. The Pix501 establish a tunnel with a concentrator connected back to back with a proxy. PcA gets the ip trough DHCP on the Pix then travel to proxy where he is authenticated. I want to ensure that if PcA leaves the network and PcB (considered as an intruder) plugs on the network, configures a static IP, it will NOT get trough the proxy without authentication.

0 Helpful

rafflick
Level 1
Level 1
In response to duchesne_ced

‎02-17-2005 07:07 AM

If you put a switch on the PIX. you can configure port security and allow only defined mac addresses for certain ports

0 Helpful

duchesne_ced
Level 1
Level 1
In response to rafflick

‎02-17-2005 09:17 AM

This is too far static and not manageable. No the easiest way would be to tell the pix: OK, i've served this IP address for this MAC. I allow only this MAC and i block all the others until i've seen a release for this IP.

Well apparently, this is not possible

Cedric

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card