Using the PIX Firewall DHCP Client

아래와 같은 구성일때 Pix Outside 쪽 interface가 Dhcp로 동작 하기 때문에 pix interface 에 직접 ip를 설정 할 수가 없어요.
그래서 cisco.com site를 뒤적 거리다 찾아낸 PIX Firewall을 DHCP Client로 사용하기 예요.

Outside 쪽에 dhcp 를 연결 하고 pix 방화벽을 두고 Inside 쪽에서는 방화벽으로 보호된 internet을 사용한다 뭐 이런 개념이죠.

 

사용자 삽입 이미지


설정은 생각보다 너무 간단했어요. >ㅁ<

Configuring the DHCP Client
To enable the DHCP client feature on a given PIX Firewall interface and set the default route via the DHCP server, enter the following command:

아래와 같이 config mode에서 outside쪽에 dhcp 명령어를 넣어 주면 된답니다.

ip address outside dhcp [setroute] [retry retry_cnt]

setroute 옵션은 default route 가 없을때 default route를 생성해 준답니다.

아래 명령어들은 DHCP client debugging 을 위해 제공 된답니다.
•debug dhcpc packet
•debug dhcpc detail
•debug dhcpc error

Outside interface 쪽에 케이블을 연결 할때와 분리할때 debug dhcp packet 결과를 한 번 캡쳐해 봤어요.

Cable을 연결 했을 때
pixfirewall# debug dhcpc packet
DHCP: allocate request
DHCP: new entry. add to queue
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover: sending 278 byte length DHCP packet
DHCP: SDiscover 278 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcpc_discover_pkt: proto = 0x1, lp = 0x2b66
dhcpc_discover_pkt: proto = 0x1, lp = 0x2b66
dhcpc_discover_pkt: proto = 0x11, lp = 0x44

DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt
DHCP: offer received from 10.10.11.101
DHCP: SRequest attempt # 1 for entry:
DHCP: SRequest- Server ID option: 10.10.11.101
DHCP: SRequest- Requested IP addr option: 10.10.10.95
DHCP: SRequest placed lease len option: 43200
DHCP: SRequest: 296 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0dhcpc_discover_pkt: proto = 0x11, lp = 0x44
dhcpc_discover_pkt: proto = 0x11, lp = 0x44
dhcpc_discover_pkt: proto = 0x11, lp = 0x44

DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt
DHCP: offer received from 10.10.11.101
DHCP: offer received in bad state: Requesting  punt
DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt
DHCP Proxy Client Pooling: ***Allocated IP address: 10.10.10.95
DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt
DHCP: rcv ack in Bound state: punt
DHCP: allocate request
Allocated IP address = 10.10.10.95,  netmask = 255.255.255.0, gateway = 10.10.10.1

DHCP client msg received, fip=10.10.10.3, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xE6A9F1C3
DHCP client msg received, fip=10.10.10.4, fport=67
DHCP: Received a BOOTREP pkt Not for us..:  xid: 0xE6A9F1C3


 

Cable을 제거 했을때
DHCP: deleting entry 10194f4 10.10.10.95 from list
Temp IP addr: 10.10.10.95  for peer on Interface: outside
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 10.10.11.101, state: 3 Bound
   DHCP transaction id: 0x65453
   Lease: 43200 secs,  Renewal: 21600 secs,  Rebind: 37800 secs
   Temp default-gateway addr: 10.10.10.1
   Next timer fires after: 21550 seconds
   Retry count: 0   Client-ID: cisco-0000.0000.0000-outside

+
참고 page
Using PIX Firewall in SOHO Networks


pix ios 7.x 에서 6.x 로 downgrade 하는 방법이 따로 있어요.
일반적인 ios upload 명령어로 7.x 버전 ios 가 올라가 있는 상태에서 6.x ios를upload 하면 정상 동작 하지 않습니다.
제경우 moniter mode로 빠졌었던 것 같네요.

Downgrade from PIX 7.x to 6.x -

pixfirewall(config-if)# downgrade tftp://192.168.0.2/pix635.bin
This command will reformat the flash and automatically reboot the system.
Do you wish to continue? [confirm]
Buffering image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Buffering startup config

All items have been buffered successfully.
If the flash reformat is interrupted or fails, data in flash will be lost
and the system might drop to monitor mode.
Do you wish to continue? [confirm]
Acquiring exclusive access to flash
Installing the correct file system for the image and saving the buffered data
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Flash downgrade succeeded

Rebooting....


ios image 가 잘 못 올라가 pix 부팅시 아래와 같은 메세지가 나오면

No bootable image in flash. Please download
an image from a network server in the monitor mode

Failed to find an image to boot

moniter mode 에서 ios 를 tftp 를 이용해 새로 upload 해 주면 됩니다.
이미지가 올라가다 멈춰도 몇 번 하다 보면 정상적으로 올라 갑니다.

monitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 0011.2063.5565
monitor> addr 192.168.0.1
address 192.168.0.1
monitor> server 192.168.0.2
server 192.168.0.2
monitor> file pix711.bin
file pix711.bin
monitor> tftp
tftp pix711.bin@192.168.0.2.............................................................
.................................................................................................
..................................................................................................
...................................................................................................
..................................................................................................
..................................................................................................
........................................................

참고 page :
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t4

cspix-adsm-swupgrade.pdf


1.PIX power on 후 "ESC" key를 입력 "monitor>" prompt로 이동

2.interface 명령어로 interface 선택
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

3.address 명령어로 PIX firewall interface 의 ip를 지정
monitor> address 10.0.0.1
address 10.0.0.1

4.server 명령어로 pix firewall recovery file 이 있는 TFTP server의 ip를 지정
monitor> server 10.0.0.2
server 10.0.0.2

5.file 명령어로 TFTP server 에 있는 recovery file의 이름을 지정
monitor> file np52.bin
file np52.bin

6.tftp 명령어를 사용해 recovery file download 시작
monitor> tftp
tftp np52.bin@10.0.0.2 via 10.0.0.1...................................
Received 73728 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000

7. password recovery 시작.
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....


password recovery file는 아래 link에서

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
products_password_recovery09186a008009478b.shtml
(복사 하세요 창이 넓어져 어쩔 수 없었음 ;ㅁ;)

http://www.cisco.com/warp/public/110/34.pdf

+ Recent posts