DHCP Reservations on a Cisco ASA 5505. Maybe?
So the Cisco ASA 5505 is the smallest ASA firewall in the ASA family, only designed for SOHO and real small branch office. It’s even cheaper than most of the current 800 series routers, can provide IPSec VPN access, AnyConnect access, and basic routing sounds like a great deal right? Well, it is however after a while you will notice some functionality is missing from this nice ASA that we take for granted in our normal everyday ISR Routers.
One of those of features is the ability to setup a DHCP reservation, the 5505 can run a DHCP server with various scope options but the ability to setup reservations has been left out. We can only speculate as to why such a simple feature would be excluded. However setting up a static ARP entry provides a quick work around for this feature. Somehow when the static ARP entry is configured, the ASA apparently knows not to hand out the address to a different host. I tested this out with a scope handing out a single IP address and a scope handing out multiple addresses with the same result. The end device configured with the static entry got the IP address in the static ARP entry configuration. When the scope was configured with a single address and a static ARP entry, I connected a different PC and the ASA would not hand out that single IP address to a different host.
However, one small caveat this feature is not supported by Cisco TAC so if you put in a ticket about DHCP reservations and static ARP entries you won’t get too far. I tested this on a few different 8.4 versions with success but since it isn’t a supported feature I wouldn’t really rely on this for anything mission critical but it something to keep in mind if you are in a pinch.
CCIE or Null! 
Interesting article!
liviusbrLivius
February 8, 2013 at 8:40 AM
I don’t think this work … I tried this on 5510, and I never get the IP configured on the Static ARP table. Your test might have some flaws.
GV
February 14, 2013 at 3:37 PM
That could also be why the feature is not supported by TAC. My tests were with 8.4.4(2) and 8.4.4(9) on the 5505 platforms.
Stephen J. Occhiogrosso
February 14, 2013 at 6:29 PM
I think you could essentially create a single static DHCP address by assigning a DHCP pool with only one IP address. Could you not put that device in to a DMZ interface on the ASA (or a Vlan instance)? As long as you don’t any other devices in the DMZ/Vlan using DHCP this should work. I am considering this because I have a Dish VIP922 DVR with SlingBox capabilities. The VIP922 only supports DHCP address assignments. I want to put the VIP922 behind a Pix 515e firewall with ACL’s controlling access. If the VIP922 were to acquire a different IP address, the ACL’s would likely fail or need updating. I know this is a kludge but it might be useful.
Dave
April 9, 2013 at 3:22 AM
Yep you are correct creating a DHCP scope with a single address for a single device will work.
I had at situation were a customer had an IP phone and laptop behind a Cisco ASA for home users and they wanted to ensure that users would only connect company assets to the ASA and also wanted avoid assigning static addresses to either device.
The use of Dot1X authentication was off the table Due to budget, and while static ARP entries is not fool proof it was the only solution I could come up with solely relying on the ASA device.
Stephen J. Occhiogrosso
April 9, 2013 at 8:43 AM
Hi everybody š
I imagine this would work because the ASA, before leasing out an ip address, checks to see if it is at all free. And this i think would include some form of lookup, so with the static arp in place…
Cheers
Kim Tingkaer
August 6, 2013 at 4:08 AM
What is you create a pool that does not include the IP addresses that you need? This of course assumes that the IP’s that you want to exclude are all within a certain range. For example, if your network is 192.168.20.0 then you could assign your printers a static IP of 192.168.20.50-60 and create a DHCP pool from 192.168.20.60 ā 254.
Alex
October 18, 2013 at 10:26 AM
Alex yes the the IP address does need to be available in the DHCP pool. This the ASA knows it can hand out that address.
Stephen J. Occhiogrosso
October 20, 2013 at 10:34 AM
It’s a shame you don’t have a donate button! I’d without a doubt donate to this
excellent blog! I suppose for now i’ll settle for book-marking
and adding your RSS feed to my Google account. I look forward to brand new updates and will share this website with my Facebook group.
Chat soon!
tests required
September 9, 2014 at 12:30 PM