The PIX firewall supports Dynamic Host Configuration Protocol (DHCP) servers and DHCP clients. DHCP is a protocol that provides automatic configuration parameters to an Internet host. This protocol has two components:
A DHCP server is a computer that provides configuration parameters to a DHCP client, and a DHCP client is a computer or network device that uses DHCP to obtain network configuration parameters.
The primary purpose of implementing the DHCP server and DHCP client features in the PIX firewall is to significantly simplify the configuration of the PIX firewall unit.
This section includes the following:
DHCP clients (DHCP client)
DHCP client support in the PIX firewall is specifically designed for small office, Home Office (SOHO) environments where the PIX firewall is used directly to connect to a DSL or cable modem that supports DHCP server functionality. With the implementation of the DHCP client feature on the PIX firewall, the PIX firewall acts as a DHCP client for the DHCP server, allowing the server to configure the startup interface of the unit with IP address, subnet mask, and optional default routeThe use of DHCP client attributes to obtain an IP address from a generic DHCP server is not supported. In addition, the PIX firewall DHCP client does not support failover configuration.
To support the DHCP client features in the PIX firewall, the following improvements are made:
The IP address DHCP command starts the DHCP client feature on the specified PIX firewall interface. The optional setroute parameter allows the PIX firewall to set the default route using the default gateway parameters returned by the DHCP server.
The Debug DHCPC command provides error-correcting tools for the boot DHCP client feature.
The PIX firewall commands that are used to implement the DHCP client are described in the IP Address command page and the Debug command page of the Cisco PIX Firewall Command Reference. Please see these command pages for specific information.
Note the IP address of the external interface required by DHCP can also be used as the PAT Global address. This eliminates the need for the ISP to assign a static IP address to the PIX firewall. Use the global command with the interface keyword to make the PAT use the external interface IP address required by DHCP. For specific information about the global command, refer to the Global command page in the Cisco PIX Firewall Command Reference.
To start the DHCP client attribute and set the default route (enabling the "DHCP" client Feature and Setting default Route)
To start the DHCP client feature on a given PIX firewall interface and set the default route through the DHCP server, you configure the IP address DHCP setroute command as part of your entire PIX firewall configuration, including the Setroute option. Specifies the name of the interface on which the DHCP client will be started.
DHCP servers (DHCP server)
DHCP server support in the PIX firewall is specially designed for remote home or branch office (ROBO) environments that use PIX 506. Connected to the PIX firewall are PC clients and other network devices (DHCP clients) that establish unsecured (unencrypted) or secure (encrypted with IPSec) network connections to access the enterprise or corporate network. As a DHCP server, the PIX firewall provides network configuration parameters to DHCP clients by using DHCP. These configuration parameters provide DHCP clients with network parameters for accessing the Enterprise network, as well as parameters used by network services such as DNS servers in the network.
Prior to release 5.3 software, the PIX firewall DHCP server supported 10 DHCP clients, PIX Firewalls 5.3 and later, supported 32 DHCP clients on the PIX firewall and supported 256 on other platforms. In Release 6.0 or later, the PIX firewall DHCP server supports 256 DHCP clients. You cannot configure 1 DHCP servers for 256 clients using the Class C network mask. For example, if a company has a Class C network address 172.17.1.0 with a network mask 255.255.255.0, then 172.17.1.0 (network IP) and 172.17.1.255 (broadcast) cannot be within the DHCP address pool range. In addition, an address is used for the PIX firewall interface. Therefore, if a user uses a Class C network mask, it can only have up to 253 DHCP clients. If you want to configure 256 clients, you cannot use the Class C network mask.
Note the PIX firewall DHCP server does not support BOOTP requests and failover configuration. The PIX firewall commands used to implement the DHCP server feature are described in the DHCP command page and the Debug command page of the Cisco PIX Firewall Command Reference. Please see these command pages for specific information.
Configure the DHCP server features (Configuring the "DHCP" Feature)
Make sure that the IP address command is used to configure the subnet mask for the IP addresses and the inside interface before starting the DHCP server feature.
Follow these steps to start the DHCP server feature on a given PIX firewall interface. (Steps 1 through 6 are required).
| Step 1 | Use the DHCPD address command to specify a pool of DHCP addresses. The PIX Firewall assigns one of the addresses in this pool to the client and is used for a given length of time. The default value is the inside interface. For example: DHCP address 10.0.1.101-10.0.1.110 inside |
| Step 2 | Optionally, specify the IP address of the DNS server that the client will use. You can specify up to 2 DNS servers. For example: DHCPD DNS 209.165.201.2 209.165.202.129 |
| Step 3 | Optionally, specify the IP address of the WINS server that the client will use. You can specify up to 2 WINS servers. For example: DHCPD wins 209.165.201.5 |
| Step 4 | Specifies the length of the lease time granted to the client. This is equivalent to the length of time, in seconds, that the client can use the IP address assigned to it before the lease expires. The default value is 3,600 seconds. For example: DHCPD Lease 3000 |
| Step 5 | Optionally, configure the domain name that the client will use. For example: DHCPD domain example.com |
| Step 6 | Start the DHCP port monitor program in the PIX firewall to receive requests for DHCP clients on the boot interface. You can now start the DHCP server feature only on the inside interface (the default). For example: DHCPD Enable inside |
The following example is the configuration list for the above procedure.
! Set the IP address of the inside interface
IP address inside 10.0.1.2 255.255.255.0
! Configure the network parameters the client would use once in the corporate network and
DHCPD address 10.0.1.101-10.0.1.110
DHCPD DNS 209.165.201.2 209.165.202.129
DHCPD wins 209.165.201.5
DHCPD Lease 3000
DHCPD domain example.com
! Enable DHCP server daemon on the inside interface
DHCPD Enable inside
The following example configures the DHCP address pool and DNS server addresses with an internal interface that initiates the DHCP server characteristics:
DHCPD address 10.0.1.100-10.0.1.108
DHCPD DNS 209.165.200.227
DHCPD Enable
The following example is the configuration of a DHCP address pool and uses the Auto_config command to configure Dns,wins and domain parameters: DHCPD addresses 10.0.1.100-10.0.1.108
DHCPD Auto_config
DHCPD Enable
The following is a partial configuration example of the DHCP server and IPSec features configured on a PIX firewall in a remote office. The PIX 506 Unit VPN Peer is another PIX firewall with an external interface IP address of 209.165.200.228, as a gateway to the corporate network.
! Configure interface IP Address
IP address outside 209.165.202.129 255.255.255.0
IP address inside 172.17.1.1 255.255.255.0
! Configure IPSec with Corporate pix
Access-list ipsec-peer Permit IP 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0
IPSec Transform-set MySet esp-des Esp-sha-hmac
Crypto map Mymap IPSEC-ISAKMP
Crypto map Mymap match address Ipsec-peer
Crypto map Mymap set Transform-set MySet
Crypto map Mymap set peer 209.165.200.228
Crypto map Mymap interface outside
Sysopt Connection Permit-ipsec
Nat (inside) 0 access-list Ipsec-peer
ISAKMP Policy Authentication Preshare
ISAKMP Policy Encryption des
ISAKMP Policy Hash sha
ISAKMP Policy Group 1
ISAKMP Policy Lifetime 3600
ISAKMP key 12345678 address 0.0.0.0 netmask 0.0.0.0
ISAKMP enable outside
!configure DHCP server address
DHCPD address 172.17.1.100-172.17.1.109
DHCPD DNS 192.168.0.20
DHCPD wins 192.168.0.10
DHCPD Lease 3000
DHCPD domain example.com
! Enable DHCP server on Inside interface
DHCPD Enable
! Use outside interface IP as PAT global address
Nat (inside) 1 0 0
Global (outside) 1 interface
Iv. use SNMP (using SNMP)
The Snmp_server command enables the PIX firewall to send SNMP traps so that the PIX firewall can be monitored remotely.
Use the Snmp-server host command to specify which systems can accept SNMP traps. This section includes the following:
Introduction (Introduction)
The available PIX Firewall SNMP mib-ii groups have systems (System) and interfaces (interfaces).
Cisco Firewall MIB and Cisco memory Pool MIB are also available.
All SNMP values are read only (RO)
With SNMP, you can monitor system events on the PIX firewall. SNMP events can be read, but PIX anti-
The information on the firewall cannot be changed with SNMP. The PIX firewall SNMP traps available with the SNMP management station are as follows:
· Universal Traps
-Up link and down link (cable is connected to the interface or not; The cable is working or not working)
-State interface)
-Cold start
-Verify failure (common string mismatch)
· Security-related events sent via the Cisco Syslog MIB:
-Deny global access
-Failover System Log information
-System Log Information
Use Ciscoworks for Windows or any other SNMP V1, MIB-II compatible browser to receive
SNMP Traps and browses the MIB. SNMP traps appear on UDP port 162.
MIB support (MIB Support)
Note that the PIX firewall does not support browsing of Cisco System Log MIB. You can browse Mib-ii's systems and interfaces
Group. MIB browsing is different from sending traps. Browsing means executing the snmpget of the MIB tree from the management station or
Snmpwalk the command to determine the value.
| pix platform | system OID | ||||
| pix td> | .1.3.6.1.4.1.9.1.389 | ||||
| PIX 515 | pix 520 | pix 525 | pix 535 | other | .1.3.6.1.4.1.9.1.227 (initial PIX firewall oid) |
Receive requests and send system log traps
Follow these steps to receive requests and send traps from the PIX firewall to the SNMP management station:
| Step 1 | Use the Snmp-server Host command to determine the IP address of the SNMP management station. |
| Step 2 | Set Snmp-server location, contact, and community password options on demand. If you only need to send a cold start, up link, down link generic trap, no further configuration is required. If you only want to receive SNMP requests, no further configuration is required. |
| Step 3 | Add a Snmp-server Enable traps command statement?/td> |
| Step 4 | To set the record level with the Logging History command: Logging History debugging We recommend that you use the debugging level during initial setup and testing. The level is then lowered from debugging to a lower value for production. (The Logging History command sets the severity for SNMP system log information). |
| Step 5 | Starts sending a system log trap to the management station with the logging on command. |
| Step 6 | If you want to prohibit the sending of system log traps, use the no logging on or no snmp-server enable traps command. |
The commands in the following table define that the PIX firewall can receive from the host 192.168.3.2 on the internal interface
SNMP requests, but does not send SNMP system logs to any host.
Snmp-server Host 192.168.3.2
Snmp-server Location Building 42
Snmp-server Contact Polly Hedra
Snmp-server Community Ohwhatakeyisthee
The location and contact commands determine the location of the host and who manages the host. Community command Specifies
The password used in the PIX Firewall SNMP agent and SNMP management station to verify network access between the two systems.
Edit Cisco System log MIB file (compiling Cisco Syslog MIB files)
To receive security and failover SNMP traps from the PIX firewall, Cisco SMI MIB and Cisco Systems need to be
The journal MiB is edited into your SNMP management application. If you did not edit the Cisco system Log MIB into your
, you can only receive traps for up or down links, firewall cold start, and validation failures.
In this page, select the PIX Firewall from the Cisco Security and VPN selection list.
Follow these steps to edit the Cisco system Log MIB file using Ciscoworks for Windows (SNMPC)
into your browser:
| Step 1 | Obtain Cisco System log MIB files. |
| Step 2 | Start SNMPC. |
| Step 3 | Click Config>complile MIB. |
| Step 4 | Scroll the cursor to the bottom of the list and click on the last item. |
| Step 5 | Click Add. |
| Step 6 | Cisco system log MIB files found. |
| Attention | For some applications, only files with the. mib extension can be displayed in the SNMPC File Selection window. Cisco system log MIB files with the. My extension are not displayed. In this example, you should manually change the. my extension to a. mib extension. |
| Step 7 | Click cisco-firewall-mib.my (CISO-FIREWALL-MIB.MIB) and click ok?/td> |
| Step 8 | Scroll the cursor to the bottom of the list and click on the last item. |
| Step 9 | Click Add. |
| Step 10 | Find File cisco-memory-pool-mib.my (cisco-memory-pool-mib.mib) and click OK. |
| Step 11 | Scroll the cursor to the bottom of the list and click on the last item. |
| Step 12 | Click Add. |
| Step 13 | Find File cisco-smi.my (cisco-smi.mib) and click OK. |
| Step 14 | Scroll the cursor to the bottom of the list and click on the last item. |
| Step 15 | Click Add. |
| Step 16 | Find File cisco-syslog-mib.my (cisco-syslog-mib.mib) and click OK. |
| Step 17 | Click Load All. |
| Step 18 | If no error, restart SNMPC. |
Note that these instructions are for SNMPC only (Ciscoworks for Windows).
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
