DHCP Servers
The server allotment of PIX DHCP abutment is added complicated. Let’s attending at the
server’s abilities and limitations.The best important affair is the cardinal of
DHCP audience the server can abutment and the specific agreement options supported.
The cardinal of audience accurate on the assorted versions of PIX firewalls
is apparent in Table 4.3.
Table 4.3 Cardinal of Audience Accurate by the PIX DHCP Server
PIX Firewall Adaptation PIX Firewall Platform Applicant Addresses
(Active Hosts)
Version 5.2 and afore All platforms 10
Version 5.3 to adaptation 6.0 PIX 506/506E 32
All added platforms 256
Version 6.1 and afterwards PIX 501 with 10-user authorization 32
PIX 501 with 50-user authorization 128
All added platforms 256
Note that the numbers quoted in Table 4.3 are for alive hosts. A host is
“active” if it has anesthetized any cartage through the PIX, accustomed a connection
through the firewall, accustomed a NAT or PAT adaptation entry, or authenticated
itself to the firewall during the aftermost 30 seconds.
NOTE
The DHCP server can be configured alone on the central interface of the PIX
firewall and supports alone audience on a arrangement anon affiliated to this
interface.
www.syngress.com
186 Affiliate 4 • Advanced PIX Configurations
A basal agreement of the DHCP server requires alone two commands:
one for allegorical a ambit of IP addresses that can be provided to audience and
another one for absolutely axis the affection on. For example:
PIX1(config)# dhcpd abode 192.168.2.1-192.168.2.127 inside
PIX1(config)# dhcpd accredit inside
The alone constant that can be afflicted actuality is the abode pool. Although
currently the interface is consistently inside, it is accessible that approaching releases of the PIX
will accept the adeptness to run a DHCP server on added interfaces. However, at the
time of this autograph (version 6.2), it does not. It is accessible to configure alone one
pool. Now back a applicant sends a DHCP request, the PIX provides it with the
next IP abode accessible in the basin of 192.168.2.1-192.168.2.127, the same
subnet affectation that is set for the central interface of the firewall, and a absence route
pointing to PIX itself.
Some added agreement ambit are anxious with alleged “DHCP
options”—optional advice that can be provided to the applicant by its request.
RFC 2132,“DHCP Options and BOOTP Vendor Extensions,” describes about
100 of these options and provides a apparatus for vendors to specify their own
options.Very few of these options are absolutely needed, abnormally in a SOHO environment,
so the PIX supports alone a few of them; nevertheless, this does not
make it clumsy to accomplish as a full-strength server.The options that can be configured
are the absence area name, the DNS server, the WINS server, and two
TFTP-related options (number 66 and 150).
The area name provided to a applicant is configured with the following
command:
dhcpd area
For example:
PIX1(config)# dhcpd area syngress.com
The DNS servers that a applicant should use are configured with the command:
dhcpd dns
Up to two DNS servers can be configured, application IP addresses:
PIX1(config)# dhcpd dns 1.2.3.4 1.2.4.10
WINS servers are configured application the afterward command, with the same
restrictions as DNS servers—up to two servers, configured application IP addresses:
dhcpd wins
www.syngress.com
Advanced PIX Configurations • Affiliate 4 187
Options 66 and 150 are acclimated mostly by Cisco IP Phones and are considered
later in this chapter. Added DHCP-related commands acquiesce allegorical some
internal ambit for the server. It is accessible to change the absence charter time
(the bulk of time for which an IP abode is provided to the client):
dhcpd charter
This command specifies the time in seconds.The absence amount is 3600, and
possible ethics are from 300 abnormal to 2,147,483,647 seconds.The following
command sets a best ping abeyance in milliseconds (1/1000th of a second):
dhcpd ping_timeout
The PIX uses ping to ensure that addition host on the arrangement does not
already accept the IP abode it is about to grant. If no host with this IP replies
during this timeout, the IP is advised free.The ping abeyance specifies how
long the PIX will delay for a ping acknowledgment to ensure that a host with the aforementioned IP
address does not already abide on the network.
Finally, the afterward command allows the DHCP server to automatically
obtain DNS,WINS, and area ambit from a DHCP applicant configured on
the alfresco interface:
PIX1(config)# dhcpd auto_config outside
An archetype of a SOHO agreement follows. It includes a DHCP applicant on
the alfresco interface and a DHCP server on the central interface, and it passes
parameters from the applicant to the server:
ip abode alfresco dhcp setroute
PIX1(config)# ip abode central 192.168.2.1 255.255.255.0
PIX1(config)# dhcpd abode 192.168.2.201-192.168.2.210
PIX1(config)# dhcpd charter 3000
PIX1(config)# dhcpd auth_config outside
PIX1(config)# dhcpd enable
PIX1(config)# nat (inside) 1 0 0
PIX1(config)# all-around (outside) 1 interface
Without auto configuration, the archetype may attending like this:
PIX1(config)# ip abode alfresco dhcp setroute
PIX1(config)# ip abode central 192.168.2.1 255.255.255.0
PIX1(config)# dhcpd abode 192.168.2.201-192.168.2.210
PIX1(config)# dhcpd charter 3000
PIX1(config)# dhcpd dns 1.2.3.4 1.2.3.31
PIX1(config)# dhcpd wins 192.168.2.20
www.syngress.com
188 Affiliate 4 • Advanced PIX Configurations
PIX1(config)# dhcpd area example.com
PIX1(config)# dhcpd enable
PIX1(config)# nat (inside) 1 0 0
PIX1(config)# all-around (outside) 1 interface
Commands are accessible for blockage the accompaniment of the server. For example:
PIX1(config)# appearance dhcpd
dhcpd abode 192.168.2.201-192.168.2.210 inside
dhcpd charter 3000
dhcpd ping_timeout 750
dhcpd dns 1.2.3.4 1.2.3.31
dhcpd accredit inside
Other commands appearance the accepted accompaniment of IP bindings (which applicant has
been assigned which IP address) and accepted server statistics:
PIX1(config)# appearance dhcpd binding
IP Abode Hardware Abode Charter Expiration Type
192.168.2.210 0100.a0c9.777e 84985 abnormal automatic
Here, a applicant with MAC abode 0100.a0c9.777e has acquired IP address
192.168.2.210, and this charter will expire in 84985 seconds:
PIX1(config)# appearance dhcpd statistics
Address Pools 1
Automatic Bindings 1
Expired Bindings 1
Malformed letters 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 1
www.syngress.com
Advanced PIX Configurations • Affiliate 4 189
These statistics appearance the cardinal of IP abode pools configured, the number
of alive leases (bindings), asleep bindings, letters accustomed with errors, and a
detailed breakdown on bulletin blazon for accurately accustomed and beatific messages.
Cisco IP Phone-Related Options
As declared in the “Skinny Applicant Control Protocol” section, Cisco IP Phones
use a TFTP server for accepting best of their configuration.This abode can be
configured statically, but it is additionally accessible to use appropriate DHCP options in order
to accommodate phones with the area of the TFTP server. Audience can accelerate to
DHCP servers letters with options of two types: cardinal 66, which causes the
server to accelerate a name of one TFTP server, and advantage 150, which after-effects in a list
of IP addresses of one or two TFTP servers.These options are accurate starting
from adaptation 6.2 of PIX software and are configured with the following
commands:
dhcpd advantage 66 ascii
dhcpd advantage 150 ip
For example:
PIX1(config)# dhcpd advantage 66 ascii tftp.example.com
PIX1(config)# dhcpd advantage 150 ip 1.2.3.4 2.3.4.5
Because the server runs alone on the central interface, IP Phones should be
placed on the arrangement anon affiliated to this interface.