Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 Lockdown

Hey guys - i have a couple of questions that I hope are quick to answer.

I have a need to provide users with a IP phone at home (extended leave, part timers, etc). The current plan is to provide them an ASA5505 that is configured to create the VPN tunnel over the internet (connects to a ASA5520). We also want to lock down the all the ports execpt e0/0 (outside interface) and e0/7 (the poe enabled phone port). I am tring to configure 5505 so that only the phone will get an ip, AND if they remove the phone, and plug in a desktop/laptop/etc, it wont work (ie - no ip address supplied, ports blocked, etc.). The users will need to use thier existing VPN on thier laptop to get network, we are just trying to supply them a "off site extension" of thier phoens.

So - Question 1 - Can I have the dhcp scope on the asa5505 defined to do a MAC based assignment?

Question 2 - If we cant lock down the scope by mac address, what ports, other than http and skinny (no sip phones here) would/should I block?

If anyone has any other suggstions, im all ears..

Thanks in advance!

New Member

Re: ASA5505 Lockdown

Place a "shutdown" on interfaces e0/1 to e0/6

For control of devices by MAC access, see "mac-list" command at the following URL:

New Member

Re: ASA5505 Lockdown

thanks. Ive already done the shutdown. Ill check the link (if helpfull, ill rate..)

I am looking to ensure that if they take the phone out, they will get nowhere.


New Member

Re: ASA5505 Lockdown

I have read up on the mac-list, and it seems that would work. My question now - how do I apply that to only 1 interface? Seems to me that, since its a global command, it will restrict on all ports, right?

I need e0/0 to be unrestricted, as I have NO idea what the mac address will be of the "dirty" side, but at the same time, e0/7 should be restricted to only the phone that I supply.

Thanks again for the link

CreatePlease login to create content