Firewalls - Using DHCP

Firewalls - Using DHCP

The firewall supports Dynamic Host Configuration Protocol. DHCP is a protocol that supplies automatic configuration parameters to Internet hosts. This protocol has two components:

Protocol for delivering host-specific configuration parameters from a DHCP Server to a host (DHCP client)
Mechanism for allocating network addresses to hosts

A DHCP Server is simply a computer that provides configuration parameters to a DHCP client, and a DHCP client is a computer or network device that uses DHCP to obtain network configuration parameters.
The primary purpose of implementing the DHCP Server and DHCP client features into the firewall is to significantly simplify the configuration of a firewall unit.

DHCP Client

DHCP client support within the firewall is designed for use within a small office, home office (SOHO) environment using a firewall that is directly connected to a DSL or cable modem that supports the DHCP Server function. With the DHCP client feature enabled on a firewall, the firewall functions as a DHCP client to a DHCP Server allowing the server to configure the unit's enabled interface with an IP address, subnet mask, and optionally a default route.
Use of the DHCP client feature to acquire an IP address from a generic DHCP Server is not supported. Also, the firewall DHCP client does not support firewall configurations.
To support the DHCP client feature within the firewall, the following enhancements were made:

Enhanced the ip address and the show ip address commands:
ip address if_name dhcp [setroute] [retry retry_cnt]
ip address outside dhcp [setroute] [retry retry_cnt]
show ip address if_name dhcp

Added new debug commands:

debug dhcpc packet
debug dhcpc detail
debug dhcpc error

The ip address dhcp command enables the DHCP client feature on the specified firewall interface. The optional setroute argument tells the firewall to set the default route using the default gateway parameter the DHCP Server returns.
The debug dhcpc commands provide debugging tools for the enabled DHCP client feature.
The DHCP-acquired IP address of the outside interface can also be used as the PAT global address.This makes it unnecessary for the ISP to assign a static IP address to firewall. Use the global command with interface keyword to enable PAT to use the DHCP-acquired IP address of outside interface. For more information about the global command see the global command page in the Cisco firewall Command Reference.
Enabling the DHCP Client Feature and Setting Default Route

To enable the DHCP client feature on a given firewall interface and set the default route via the DHCP Server configure the ip address dhcp setroute command as part of the entire firewall configuration, including the setroute option. Specify the name of the interface on which the DHCP client will be enabled.

DHCP Server

DHCP Server support within the firewall is designed for use within a branch office environment using a PIX 506 unit. Connecting to the firewall are PC clients and other network devices (DHCP clients) that establish network connections that are either insecure (unencrypted) or secure (encrypted using IPSec) to access an enterprise or corporate network.
As a DHCP Server the firewall provides network configuration parameters to the DHCP clients. These configuration parameters provide a DHCP client the networking parameters used to access the enterprise network, and once in the network, the network services to use, such as the DNS server.
Using a Class C netmask, the PIX Firewall DHCP Server supports up to 253 DHCP clients.
The firewall DHCP Server does not support BOOTP requests and failover configurations.
The firewall commands used to implement the DHCP Server feature are described in the dhcpd command page and the debug command page in the Cisco firewall Command Reference. Refer to these command pages for more information.
Configuring the DHCP Server Feature

Configure the IP address and the subnet mask of the inside interface using the ip address command prior to enabling the DHCP Server feature.
Follow these steps to enable the DHCP Server feature on a given firewall interface.
(Steps 1 and 6 are required.)

Specify a DHCP address pool using the dhcpd address command. The firewall will assign to a client one of the addresses from this pool to use for a given length of time. The default is the inside interface.
For example:
dhcpd address 10.0.1.101-10.0.1.110 inside

(Optional) Specify the IP address(es) of the DNS server(s) the client will use. You can specify up to two DNS servers. For example:
dhcpd dns 209.165.201.2 209.165.202.129

(Optional) Specify the IP address(es) of the WINS server(s) the client will use. You can specify up to two WINS servers.
For example:
dhcpd wins 209.165.201.5

Specify the lease length to grant the client. This lease equals the amount of time (in seconds) the client can use its allocated IP address before the lease expires. The default value is 3600 seconds.
For example:
dhcpd lease 3000

(Optional) To configure the domain name the client will use.
For example:
dhcpd domain example.com

Enable the DHCP daemon within the firewall to listen for DHCP client requests on the enabled interface. Currently, you can only enable the DHCP Server feature on the inside interface, which is the default.
For example:
dhcpd enable inside

The following example shows a configuration listing for the previous procedure.
! set the ip address of the inside interface ip address inside 10.0.1.2 255.255.255.0 ! configure the network parameters the client will use once in the corporate network and dhcpd address 10.0.1.101-10.0.1.110 dhcpd dns 209.165.201.2 209.165.202.129 dhcpd wins 209.165.201.5 dhcpd lease 3000 dhcpd domain example.com ! enable dhcp server daemon on the inside interface dhcpd enable inside

The following example shows the configuration of a DHCP address pool and a DNS server address with the inside interface being enabled for the DHCP Server feature:
dhcpd address 10.0.1.100-10.0.1.108
dhcpd dns 209.165.200.227
dhcpd enable

The following example shows the configuration of a DHCP address pool and uses the auto_config command to configure the dns, wins, and domain parameters:
dhcpd address 10.0.1.100-10.0.1.108
dhcpd auto_config
dhcpd enable

The following is a partial configuration example of the DHCP Server and IPSec features configured on a firewall that is within a remote office. The PIX 506 unit's VPN peer is another firewall that has an outside interface IP address of 209.165.200.228 and functions as a gateway for a corporate network.
! configure interface ip address ip address outside 209.165.202.129 255.255.255.0 ip address inside 172.17.1.1 255.255.255.0 ! configure ipsec with corporate pix access-list ipsec-peer permit ip 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0 ipsec transform-set myset esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address ipsec-peer crypto map mymap 10 set transform-set myset crypto map mymap 10 set peer 209.165.200.228 crypto map mymap interface outside sysopt connection permit-ipsec nat (inside) 0 access-list ipsec-peer isakmp policy 10 authentication preshare isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0 isakmp enable outside !configure dhcp server address dhcpd address 172.17.1.100-172.17.1.109 dhcpd dns 192.168.0.20 dhcpd wins 192.168.0.10 dhcpd lease 3000 dhcpd domain example.com ! enable dhcp server on inside interface dhcpd enable ! use outside interface ip as PAT global address nat (inside) 1 0 0 global (outside) 1 interface