Home > Articles > Cisco Network Technology > General Networking > Cisco Firewall Configuration Fundamentals

Cisco Firewall Configuration Fundamentals

Chapter Description

This chapter describes the configuration fundamentals for IOS and ASA-based firewalls, highlighting the similarities between the product families.

From the Book

Cisco Firewalls

Cisco Firewalls

$69.99

DHCP Services

Having already studied the static and PPPoE methods of addressing, now look at the services provided by the classic DHCP Protocol. Figure 3-11 portrays a sample topology for the study of DHCP Server and Client functionalities. Example 3-33 shows an IOS router configured as DHCP server while ASA acts as a client (on its outside interface). The address assigned to ASA in this case is 172.16.200.41.

Example 3-34 also relates to the topology of Figure 3-11 and teaches how to enable the DHCP server function on ASA. The dhcpd auto_config option enables ASA to forward the parameters it receives on a given interface (as client) to another interface where it works as a server. The show running-config dhcpd command displays the configuration related to the DHCP daemon on ASA. (Notice that the auto_config attributes are shown on the running-config.) This example includes the summary information for DHCP services enabled on ASA and the lease information visible on an IOS client.

Figure 3-11

Figure 3-11 Reference Topology for DHCP Server and DHCP Client

Example 3-33. IOS as DHCP Server and ASA as DHCP Client

! Router "OUT" acts as DHCP Server for subnet 172.16.200.0/24
interface FastEthernet4.200
 encapsulation dot1Q 200
 ip address 172.16.200.200 255.255.255.0
!
ip dhcp excluded-address 172.16.200.1 172.16.200.40
ip dhcp excluded-address 172.16.200.50 172.16.200.255
!
ip dhcp pool OUT1
   network 172.16.200.0 255.255.255.0
   default-router 172.16.200.200
   dns-server 172.16.250.250
   domain-name outside.net
!
! ASA configured as a DHCP client on interface outside
ASA5505(config)# interface vlan 200
ASA5505(config-if)# ip address dhcp setroute
%ASA-6-302015: Built outbound UDP connection 46 for outside:255.255.255.255/67 (255.255.255.255/67) to identity:0.0.0.0/68 (0.0.0.0/68)
%ASA-6-604101: DHCP client interface outside: Allocated ip = 172.16.200.41, mask = 255.255.255.0, gw = 172.16.200.200
%ASA-6-302016: Teardown UDP connection 46 for outside:255.255.255.255/67 to identity:0.0.0.0/68 duration 0:02:03 bytes 1096
!
! The DHCP-learned default route becomes visible on ASA's routing table
ASA5505# show route outside | begin Gateway

Gateway of last resort is 172.16.200.200 to network 0.0.0.0
C    172.16.200.0 255.255.255.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 172.16.200.200, outside
!
ASA5505# show interface ip brief | include DHCP|Method
Interface                  IP-Address      OK? Method Status                Protocol
Vlan200                    172.16.200.41   YES DHCP   up                    up
!
! Viewing information about the DCHP Server function
OUT# show dhcp server
   DHCP server: ANY (255.255.255.255)
    Leases:   2
    Offers:   1      Requests: 1     Acks : 1     Naks: 0
    Declines: 0      Releases: 3     Query: 0     Bad: 0
    DNS0:    172.16.250.250,   DNS1:  0.0.0.0
    Subnet: 255.255.255.0   DNS Domain: outside.net

Example 3-34. ASA as DHCP Server and IOS as DHCP Client

! Displaying dhcpd configuration on ASA
ASA5505# show running-config dhcpd


dhcpd auto_config outside

   **auto-config from interface 'outside'

   **auto_config dns 172.16.250.250

   **auto_config domain outside.net
!
dhcpd address 172.16.201.60-172.16.201.69 dmz
dhcpd enable dmz
!
! Summary information about DHCP Services enabled on ASA
ASA5505# show dhcpd state
Context  Configured as DHCP Server
Interface mgmt, Not Configured for DHCP
Interface dmz, Configured for DHCP SERVER

   Interface outside, Configured for DHCP CLIENT
!
! Displaying information about the DHCP lease on the IOS client
DMZ# show dhcp lease

   Temp IP addr: 172.16.201.60  for peer on Interface: FastEthernet4.201
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 172.16.201.2, state: 5 Bound
   DHCP transaction id: 1E88
   Lease: 3600 secs,  Renewal: 1800 secs,  Rebind: 3150 secs
Temp default-gateway addr: 172.16.201.2
   Next timer fires after: 00:17:52
   Retry count: 0   Client-ID: cisco-0014.f2e3.7df6-Fa4.201
   Client-ID hex dump: 636973636F2D303031342E663265332E
                       376466362D4661342E323031
   Hostname: DMZ
!
! The default route learned through DHCP is visible on the IOS routing table
DMZ# show ip route | begin Gateway

Gateway of last resort is 172.16.201.2 to network 0.0.0.0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.201.0 is directly connected, FastEthernet4.201
S*   0.0.0.0/0 [254/0] via 172.16.201.2

Figure 3-12 represents a sample topology used for the investigation of the DHCP Relay feature. When acting as a DHCP Relay, a Layer 3 device (a router or a network firewall, for instance) converts broadcast packets from clients into unicast packets destined to a DHCP server located on a different subnet. The Relay receives replies from the servers and forwards them back to the originating client.

Figure 3-12

Figure 3-12 Reference Topology for Analysis of DHCP Relay Operation

Example 3-35 refers to the internetwork of Figure 3-12, where ASA relays DHCP packets from clients that reside on interface dmz (subnet 172.16.201.0/24) to the server 172.16.200.200, reachable through the outside interface. It is interesting that there is a pool configured on the server (OUT router) that offers addresses belonging to the 172.16.201.0/24 subnet. (In the example, the DMZ router receives the address 172.16.201.51/24.)

Example 3-35. ASA Acting as a DHCP Relay Between Two IOS Devices

! ASA acts as a DHCP Relay that points to server 172.16.200.200
ASA5505# show running-config dhcprelay
dhcprelay server 172.16.200.200 outside
dhcprelay enable dmz
dhcprelay setroute dmz
dhcprelay timeout 60
!
! Enabling the DHCP Client on IOS
DMZ(config)# interface f4.201
DMZ(config-subif)#ip address dhcp
DHCP: DHCP client process started: 10
RAC: Starting DHCP discover on FastEthernet4.201
DHCP: Try 1 to acquire address for FastEthernet4.201
[ output suppressed]
                B'cast on FastEthernet4.201 interface from 0.0.0.0
DHCP: Received a BOOTREP pkt
DHCP: offer received from 172.16.200.200   

[ output suppressed]
Allocated IP address = 172.16.201.51  255.255.255.0
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4.201 assigned DHCP address 172.16.201.51, mask 255.255.255.0, hostname DMZ
DHCP Client Pooling: ***Allocated IP address: 172.16.201.51
!
! Viewing the IP Addresses obtained through DHCP
DMZ# show ip interface brief | include DHCP|Method
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet4.201          172.16.201.51   YES DHCP   up                    up
!
! DHCP Relay messages on ASA
DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCPD: setting giaddr to 172.16.201.2.
dhcpd_forward_request: request from 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31 forwarded to 172.16.200.200.
DHCPD/RA: Punt 172.16.200.200/17152—> 172.16.201.2/17152 to CP
DHCPD: Relay msg received, fip=ANY, fport=0 on outside interface
DHCPRA: forwarding reply to client 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31.
DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCPD: setting giaddr to 172.16.201.2.
!
! Summary information about DHCP Relay function on ASA
ASA5505# show dhcprelay state
Context  Configured as DHCP Relay
Interface mgmt, Not Configured for DHCP
Interface dmz, Configured for DHCP RELAY SERVER

Interface outside, Configured for DHCP RELAY