One of our offices uses a Cisco ASA/PIX and we want to manage all the IP address allocations with DHCP. The main benefit of this is that the dynamic IP address allocations can be managed centrally. If we change the default gateway of the network then no one needs to make any changes to the network settings on their devices.
Each device on the network gets an IP address when they ask for it and keeps it for a fixed amount of time called a lease. When that time has expired the device releases the address and asks for another. In most cases the device will be given the same information again by the DHCP server.
If you have a network with a lot of laptops, phones, tablets or printers then devices will come and go quite frequently. You will find that if you switch off the device for any amount of time it will come back with a different address. For laptops and personal devices this doesn't matter. However if the device is a shared resource like a printer or file server then it can be a problem. Anyone who still wants to use that shared resource now needs to know about its new address.
We want to be able to tell the DHCP server that while it can allocate IP addresses from a certain pool we want to make sure that it can only allocate some of them to specific network devices. This will ensure that if a printer goes for repair and comes back in a week, when it's switched back on it will have the same IP address that it always had.
Unfortunately there isn't a structured way of doing this with a Cisco ASA/PIX so we need to find a work-a-round.
The following instructions describe how to do this but they also describe how to get into the administration section of the Cisco ASA/PIX because most of the instructions (on the internet) assume you know how to do this already. There is a strong argument that you should know what you are doing before you play with a router/firewall's configuration but if your network man is on holiday then you might have to get your hands dirty yourself.
There are various GUIs to help with this kind of administration and that's fine if you are at the customer's site but most of the time I'm not. Short of connecting to the VPN and using the management console the easiest way is to go in on the command line using telnet.
In the following scenario we have been told that the printer is set to use DHCP and its current IP address is
192.168.1.69. We want to add that to the pool and make sure it is given the same IP address each time.
So connect to the Cisco ASA/PIX. There's no user name only a password, so enter the user level password:
host# telnet 192.168.1.254
User Access Verification
Type help or '?' for a list of available commands.
Once logged in we need to switch to the administration mode.
The user told us the printer was currently switched on so we can read the router's Address Resolution Protocol table which lists the mappings between IP addresses and Media Access Control address (MAC address or address network card address). We'll need the MAC address as it is the reference the router talks to whereas the IP address is only an abstraction.
cisco# show arp
inside 192.168.1.69 0c1b.ae43.bd21
Now we can check that the
192.168.1.69 address is in the pool of DHCP addresses
cisco# show running-config dhcpd
dhcpd address 192.168.1.20-192.168.1.70 inside
dhcpd dns 126.96.36.199 188.8.131.52 interface inside
dhcpd domain 360inspire.com interface inside
dhcpd enable inside
which it is and we can check that the MAC address is not currently assigned to anything else.
cisco# show running-config arp
Our sanity checks are ok so we are ready to proceed with the update. We must enter the configuration section by specifying that we will change the configuration from the terminal.
cisco# configure terminal
Once in the configuration section we can start changing the settings. The following line says that when we see the MAC address
0c1b.ae43.bd21 we are going to statically refer to it with the IP address of
192.168.1.69. The Cisco ASA/PIX knows that this is already in the DHCP pool and won't allocate it again.
cisco(config)# arp inside 192.168.1.69 0c1b.ae43.bd21
We can check the change has been added with the following command:
cisco(config)# show running-config arp
arp inside 192.168.1.69 0c1b.ae43.bd21
If you have miss-typed or you would like to remove an old entry you can do so by prefixing the existing command with
no. For example:
no arp inside 192.168.1.69 0c1b.ae43.bd21
The changes are currently only made in memory, so we need to write the current running configuration down to disk.
cisco(config)# write mem
Cryptochecksum: 389f1812 7c29dd7b 50ad4ca0 4ce3fd5e
4396 bytes copied in 1.480 secs (4396 bytes/sec)
And finally the job is done so we exit cleanly
Connection closed by foreign host.
Rebooting the printer will result in the printer coming back with the same IP address.
Many thanks to goldplated for his original article.