Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
4
Helpful
3
Replies

ASA5505 Lockdown

don.click1
Level 4
Level 4

‎05-16-2008 01:19 PM - edited ‎02-21-2020 02:01 AM

Hey guys - i have a couple of questions that I hope are quick to answer.

I have a need to provide users with a IP phone at home (extended leave, part timers, etc). The current plan is to provide them an ASA5505 that is configured to create the VPN tunnel over the internet (connects to a ASA5520). We also want to lock down the all the ports execpt e0/0 (outside interface) and e0/7 (the poe enabled phone port). I am tring to configure 5505 so that only the phone will get an ip, AND if they remove the phone, and plug in a desktop/laptop/etc, it wont work (ie - no ip address supplied, ports blocked, etc.). The users will need to use thier existing VPN on thier laptop to get network, we are just trying to supply them a "off site extension" of thier phoens.

So - Question 1 - Can I have the dhcp scope on the asa5505 defined to do a MAC based assignment?

Question 2 - If we cant lock down the scope by mac address, what ports, other than http and skinny (no sip phones here) would/should I block?

If anyone has any other suggstions, im all ears..

Thanks in advance!

0 Helpful
3 Replies 3

samuellthomasjr
Level 1
Level 1

‎05-18-2008 03:30 PM

Place a "shutdown" on interfaces e0/1 to e0/6

For control of devices by MAC access, see "mac-list" command at the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1888833

don.click1
Level 4
Level 4
In response to samuellthomasjr

‎05-18-2008 03:34 PM

thanks. Ive already done the shutdown. Ill check the link (if helpfull, ill rate..)

I am looking to ensure that if they take the phone out, they will get nowhere.

thanks.

0 Helpful

don.click1
Level 4
Level 4
In response to samuellthomasjr

‎05-20-2008 09:43 AM

I have read up on the mac-list, and it seems that would work. My question now - how do I apply that to only 1 interface? Seems to me that, since its a global command, it will restrict on all ports, right?

I need e0/0 to be unrestricted, as I have NO idea what the mac address will be of the "dirty" side, but at the same time, e0/7 should be restricted to only the phone that I supply.

Thanks again for the link

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card