Using the PIX Firewall DHCP Client

아래와 같은 구성일때 Pix Outside 쪽 interface가 Dhcp로 동작 하기 때문에 pix interface 에 직접 ip를 설정 할 수가 없어요.
그래서 cisco.com site를 뒤적 거리다 찾아낸 PIX Firewall을 DHCP Client로 사용하기 예요.

Outside 쪽에 dhcp 를 연결 하고 pix 방화벽을 두고 Inside 쪽에서는 방화벽으로 보호된 internet을 사용한다 뭐 이런 개념이죠.

 

사용자 삽입 이미지


설정은 생각보다 너무 간단했어요. >ㅁ<

Configuring the DHCP Client
To enable the DHCP client feature on a given PIX Firewall interface and set the default route via the DHCP server, enter the following command:

아래와 같이 config mode에서 outside쪽에 dhcp 명령어를 넣어 주면 된답니다.

ip address outside dhcp [setroute] [retry retry_cnt]

setroute 옵션은 default route 가 없을때 default route를 생성해 준답니다.

아래 명령어들은 DHCP client debugging 을 위해 제공 된답니다.
•debug dhcpc packet
•debug dhcpc detail
•debug dhcpc error

Outside interface 쪽에 케이블을 연결 할때와 분리할때 debug dhcp packet 결과를 한 번 캡쳐해 봤어요.

Cable을 연결 했을 때
pixfirewall# debug dhcpc packet
DHCP: allocate request
DHCP: new entry. add to queue
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover: sending 278 byte length DHCP packet
DHCP: SDiscover 278 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcpc_discover_pkt: proto = 0x1, lp = 0x2b66
dhcpc_discover_pkt: proto = 0x1, lp = 0x2b66
dhcpc_discover_pkt: proto = 0x11, lp = 0x44

DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt
DHCP: offer received from 10.10.11.101
DHCP: SRequest attempt # 1 for entry:
DHCP: SRequest- Server ID option: 10.10.11.101
DHCP: SRequest- Requested IP addr option: 10.10.10.95
DHCP: SRequest placed lease len option: 43200
DHCP: SRequest: 296 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcpc_discover_pkt: proto = 0x11, lp = 0x44
dhcpc_discover_pkt: proto = 0x11, lp = 0x44
dhcpc_discover_pkt: proto = 0x11, lp = 0x44

DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt
DHCP: offer received from 10.10.11.101
DHCP: offer received in bad state: Requesting  punt
DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt
DHCP Proxy Client Pooling: ***Allocated IP address: 10.10.10.95
DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt
DHCP: rcv ack in Bound state: punt
DHCP: allocate request
Allocated IP address = 10.10.10.95,  netmask = 255.255.255.0, gateway = 10.10.10.1

DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xE6A9F1C3
DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xE6A9F1C3


 

Cable을 제거 했을때
DHCP: deleting entry 10194f4 10.10.10.95 from list
Temp IP addr: 10.10.10.95  for peer on Interface: outside
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 10.10.11.101, state: 3 Bound
   DHCP transaction id: 0x65453
   Lease: 43200 secs,  Renewal: 21600 secs,  Rebind: 37800 secs
   Temp default-gateway addr: 10.10.10.1
   Next timer fires after: 21550 seconds
   Retry count: 0   Client-ID: cisco-0000.0000.0000-outside

+
참고 page
Using PIX Firewall in SOHO Networks
dchp(Dynamic Host Configuration Protocol)

RFC 2131
ftp://ftp.isi.edu/in-notes/rfc2131.txt

dchp 동작원리
http://www.ebora.net/htmlup2/net-app2.htm
http://www.exchangeserver.or.kr/mirae/3/sw4_1.htm

1.IP lease 탐색(Discover)
TCP/IP초기화  Broadcast : Discover
67/UDP사용, DHCPDISCOVER(Client broadcast to locate available servers.)

2. IP lease 제공(Offer)모든 서버가 제공
Client의 하드웨어 주소
  자신의 IP Pool 범위 내에서 제공할 IP 주소
  Subnet mask
  Lease 기간
서버 식별자(DHCP 서버 IP주소)68/UDP사용, DHCPOFFER(Server to client in response to DHCPDISCOVER with offer of configuration parameters.)

이 Lease Request를 DHCPDISCOVER(67/UDP사용) 메시지 형태로 보낸다. 메시지의 패킷의 원본, 목적지 주소를 살펴 보면 원본 주소는 0.0.0.0을 사용하고 목적지 주소는 255.255.255.255를 사용한다. 그 정보와 함께 자신의 MAC 주소와 호스트 이름을 포함해서 보낸다.

3. IP lease의 선택(Selection)
IP 선택 후 lease해 줄 것을 요청(Request) – Broadcast
DHCPREQUEST 메시지에는 서버의 서버 식별자(IP주소)가 들어 있고, Client가 쓰게 될 IP 주소가 적혀 있다 
DHCPREQUEST(Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address.)

4. IP lease의 긍정 응답(Acknowledge)
IP를 제공한 서버는 Broadcast로 긍정 응답
이외의 서버는 제공을 철회
DHCPACK(Server to client with configuration parameters, including committed network address.)


Message Use
------- ---
DHCPDISCOVER - Client broadcast to locate available servers.
DHCPOFFER - Server to client in response to DHCPDISCOVER with offer of configuration parameters.
DHCPREQUEST - Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address.
DHCPACK - Server to client with configuration parameters, including committed network address.
DHCPNAK - Server to client indicating client's notion of network address is incorrect (e.g., client has moved to newsubnet) or client's lease as expired
DHCPDECLINE - Client to server indicating network address is already in use.
DHCPRELEASE - Client to server relinquishing network address and cancelling remaining lease.
DHCPINFORM - Client to server, asking only for local configuration parameters; client already has externally configured network address.

dhcp로 ip를 받기 위해선 Null 주소를 할당 하고 dhcp 주소를 찾아서 broadcast를 하는 군요... 이유는 당연하겠지만 자신의 ip 주소도 없을 뿐더러 dhcp server의 ip 주소도 모르니 말입니다. ^^

+ Recent posts