One of our offices uses a Cisco ASA/PIX and we want to manage all the IP address allocations with DHCP. The main benefit of this is that the dynamic IP address allocations can be managed centrally. If we change the default gateway of the network then no one needs to make any changes to the network settings on their devices.
Each device on the network gets an IP address when they ask for it and keeps it for a fixed amount of time called a lease. When that time has expired the device releases the address and asks for another. In most cases the device will be given the same information again by the DHCP server.
If you have a network with a lot of laptops, phones, tablets or printers then devices will come and go quite frequently. You will find that if you switch off the device for any amount of time it will come back with a different address. For laptops and personal devices this doesn't matter. However if the device is a shared resource like a printer or file server then it can be a problem. Anyone who still wants to use that shared resource now needs to know about its new address.
We want to be able to tell the DHCP server that while it can allocate IP addresses from a certain pool we want to make sure that it can only allocate some of them to specific network devices. This will ensure that if a printer goes for repair and comes back in a week, when it's switched back on it will have the same IP address that it always had.
Unfortunately there isn't a structured way of doing this with a Cisco ASA/PIX so we need to find a work-a-round.
The following instructions describe how to do this but they also describe how to get into the administration section of the Cisco ASA/PIX because most of the instructions (on the internet) assume you know how to do this already. There is a strong argument that you should know what you are doing before you play with a router/firewall's configuration but if your network man is on holiday then you might have to get your hands dirty yourself.
There are various GUIs to help with this kind of administration and that's fine if you are at the customer's site but most of the time I'm not. Short of connecting to the VPN and using the management console the easiest way is to go in on the command line using telnet.
In the following scenario we have been told that the printer is set to use DHCP and its current IP address is
192.168.1.69. We want to add that to the pool and make sure it is given the same IP address each time.
So connect to the Cisco ASA/PIX. There's no user name only a password, so enter the user level password:
host# telnet 192.168.1.254 User Access Verification Password: *** Type help or '?' for a list of available commands. cisco>
Once logged in we need to switch to the administration mode.
cisco> enable Password: ***
The user told us the printer was currently switched on so we can read the router's Address Resolution Protocol table which lists the mappings between IP addresses and Media Access Control address (MAC address or address network card address). We'll need the MAC address as it is the reference the router talks to whereas the IP address is only an abstraction.
cisco# show arp inside 192.168.1.69 0c1b.ae43.bd21
Now we can check that the
192.168.1.69 address is in the pool of DHCP addresses
cisco# show running-config dhcpd dhcpd address 192.168.1.20-192.168.1.70 inside dhcpd dns 188.8.131.52 184.108.40.206 interface inside dhcpd domain 360inspire.com interface inside dhcpd enable inside !
which it is and we can check that the MAC address is not currently assigned to anything else.
cisco# show running-config arp cisco#
Our sanity checks are ok so we are ready to proceed with the update. We must enter the configuration section by specifying that we will change the configuration from the terminal.
cisco# configure terminal cisco(config)#
Once in the configuration section we can start changing the settings. The following line says that when we see the MAC address
0c1b.ae43.bd21 we are going to statically refer to it with the IP address of
192.168.1.69. The Cisco ASA/PIX knows that this is already in the DHCP pool and won't allocate it again.
cisco(config)# arp inside 192.168.1.69 0c1b.ae43.bd21
We can check the change has been added with the following command:
cisco(config)# show running-config arp arp inside 192.168.1.69 0c1b.ae43.bd21 cisco(config)#
If you have miss-typed or you would like to remove an old entry you can do so by prefixing the existing command with
no. For example:
no arp inside 192.168.1.69 0c1b.ae43.bd21
The changes are currently only made in memory, so we need to write the current running configuration down to disk.
cisco(config)# write mem Building configuration... Cryptochecksum: 389f1812 7c29dd7b 50ad4ca0 4ce3fd5e 4396 bytes copied in 1.480 secs (4396 bytes/sec) [OK] cisco(config)#
And finally the job is done so we exit cleanly
cisco(config)# cisco(config)# exit cisco# exit Logoff Connection closed by foreign host.
Rebooting the printer will result in the printer coming back with the same IP address.
Many thanks to goldplated for his original article.
Comment from: Hellbent [Visitor]
Comment from: Dan [Visitor]
Did your Host B get then another IP or does the ASA fall in a Loop?
That´s also does not work for me :
#sh running-config arp arp lan_corp 10.11.254.180 4c80.933c.faff
sh dhcpd binding all | include ff
10.11.254.151 014c.8093.3cfa.ff 3420 seconds Automatic
I have set the below arp related configs : arp lan_corp 10.11.254.180 4c80.933c.faff arp timeout 14400 no arp permit-nonconnected
Have also tried with the permit-nonconnected enabled but nothing.
The version of the ASA software is 9.1(3)
Comment from: Ryan [Visitor]
Comment from: mick [Visitor]
Ive been looking for this solution myself. I also tested this and it doesnt seem to work.
test config: arp inside 10.6.0.75 001b.38be.c7fa dhcpd address 10.6.0.70-10.6.0.80 inside
connect the laptop and look at dhcp binding and arp: show dhcpd binding IP address Client Identifier
inside 10.6.0.70 001b.38be.c7fa 517 inside 10.6.0.75 001b.38be.c7fa -
the firewall shows the reserved arp but still issues the laptop the first ip from the dhcp pool.
Comment from: Peter Dornauer [Visitor]
Comment from: Marr [Visitor]
This will work,but you have to set you dhcp scope high and give static IP addresses to your devices from below the dhcp scope. For example:
dhcpd address 192.168.1.50-192.168.1.100 inside
Give your routers, switches, and host static IP addresses in the range of: 192.168.1.1 - 192.168.1.49
arp inside 192.168.1.10 0c1b.ae43.bd21 arp inside 192.168.1.11 0c1b.ae43.bd22 arp inside 192.168.1.12 0c1b.ae43.bd23 etc……
Comment from: EINAR HONEGGER THOME [Visitor]
This tutorial is useless because entering a mac adderess associated to an IP at the ARP table wont make DHCP assign that IP to that specific MAC address.
MARR, IF I use static IPs on those Devices, DHCP will have no influence on those IPs settings! ASA still lacks this functionality!
Comment from: Rudolf [Visitor]
Unfortunately, indeed this tutorial provides a solution that doesn’t solve what it claims to do.
It is really a shame that the ASA can’t give a fixed IP to a MAC address, something most routers in the price range of 30 dollar can already do…
Comment from: [Member]
Comment from: Networker [Visitor]
Comment from: Bryan [Visitor]
Comment from: Michael [Visitor]
There is an alias option to the arp command that prevents the entry from expiring, would that solve the issue, I have not bothered to test it, but I read from the remarks that an issue would be that the reservation will expire, add alias at the end and it will not?
Comment from: Michael [Visitor]
Naa, 4get that, that also does not work.
Comment from: julia [Visitor]
Form is loading...