CISCO PIX 501

[CatPlus]

Can CISCO PIX 501 do the following:

[1] Serve as a DHCP server, so clients can be configured to obtain dynamic or static addresses

[2] Can I have two groups,
Group 1: All internet traffic
Group 2: POP/SMTP and virus definitions only

How would my access rule look like?

Thanks for your guidance

Mickey Shekdar

 

[rb1kenobi]

1) If you mean "can it be a DHCP server" - YES it can.
If you mean "can it guarantee that computer X will always get IP address xxx.xxx.xxx.xxx" then - NO, it can't. It has no concept of DHCP Reservations like you would see on an MS DHCP server. The pix gives out a pool of IP's, and will serve them out on a first-come, first served basis with no reservations, (unless it's a DHCP renewal request)

2) Yes, you can have separate groups of computers that have different levels of access to/from the internet.

Your access list would need to do the following in this order:

- permit outbound pop/smtp/virus ports for restricted users
- deny all other internet traffic for restricted users
- permit all internet traffic for non-restricted users

Depending on the number of users in the non-restricted vs restricted group, this access-list may be inefficient from a CPU standpoint. You could for example
- permit all outbound for the non-restricted users
- permit pop/smtp/virus for restricted
- deny all other internet for restricted users.


You would then apply this access list on the INSIDE interface.

 

[CatPlus]

Thanks rb1kenobi,

One more question. Have you seen SonicWall's O/S?

SonicWall allows settings rules to different rules, then assigns the MAC IDs to the group to which the client belongs.

No settings are required at the client's machine yet the client boots up in DHCP mode, not static!

Is such a functionality available in CISCO PIX?

Thanks for your reply

Mickey Shekdar