02-16-2005 08:32 AM - edited 02-20-2020 11:58 PM
Hi,
I've got a small Pix 501 configured with a DHCP server for the inside interface. The Pix allocates an IP and store the associated MAC address.
Let's assume PcA gets the IP 172.16.1.2 with DHCP. If i remove PcA and connect the PcB with the static IP 172.16.1.2, i will have a full access. Is there a way to prevent this and dynamically only allow Ip/Mac served by the DHCP so that when PcB arrives, it will never have access.
regards
Cedric
02-16-2005 05:19 PM
It would be easier to answer your question if you mentioned what are you trying to achieve... Anyway, if you have DHCP server on your PIX-501 you don't even have to configure any IP for PcB -- when PcB arrives it will get the next available IP from your dhcp pool and will have full access, wouldn't it?
Take a look at "arp" command. You can set up a static IP-to-MAC address mapping for hosts on your network:
arp inside 172.16.1.2 aaaa.bbbb.cccc
where aaaa.bbbb.cccc is a MAC address of PcA
02-16-2005 09:07 PM
True, probably you want to put a Cisco switch between PIX inside interface ( I know 501 has 4 port switch)..and enable DHCP snooping feature. This will prevent any kind of activity on your network that you just described. Cant spoof or configure an ip statically to pretend a valid PC that acquired an ip address via DHCP lease.
Also I am not sure if PIX supports mac-address reservation at this moment..
02-17-2005 02:09 AM
My structure is of course much more complicated. The Pix501 establish a tunnel with a concentrator connected back to back with a proxy. PcA gets the ip trough DHCP on the Pix then travel to proxy where he is authenticated. I want to ensure that if PcA leaves the network and PcB (considered as an intruder) plugs on the network, configures a static IP, it will NOT get trough the proxy without authentication.
02-17-2005 07:07 AM
If you put a switch on the PIX. you can configure port security and allow only defined mac addresses for certain ports
02-17-2005 09:17 AM
This is too far static and not manageable. No the easiest way would be to tell the pix: OK, i've served this IP address for this MAC. I allow only this MAC and i block all the others until i've seen a release for this IP.
Well apparently, this is not possible
Cedric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide