Cisco ASA – DNS Doctoring

KB ID 0001113

Problem

Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.

Why Would you want to do this? Well lets say you have a web server on your network, and its public IP is 111.111.111.111, and on your LAN its internal IP address is 192.168.1.100, its public DNS name, (or URL) is www.yoursite.com. When a user types www.yoursite.com into their browser, DNS will respond with the public IP of 111.111.111.111, and not the IP address thats on your LAN (192.168.1.100). The client can’t send the traffic out of the firewall, ‘hairpin’ it though 180 degrees and send the traffic back in again. So it fails. What DNS does is look for DNS response packets that have 111.111.111.111 in them and dynamically changes the ip in the packet to 192.168.1.100.

Are there any prerequisites? Only that the DNS server sending the response sends it response though the ASA, i.e. if you have your own DNS server onsite that serves the request (without a forward lookup or a root hint). then the DNS response does not go though the ASA so it can’t doctor it. This happens if you public website and your internal domain have the same name, or if your DNS server is authoritative for a domain with an IP address outside your network. To solve that problem your best bet is to setup ‘Split DNS’

Windows Setting up Split DNS

How to Setup DNS Doctoring

If you read the preamble you know that the DNS response needs to go though the firewall, and the public IP that gets resolved needs to be on your network. This can be either a host on your network with a public IP, or a host in your DMZ that has a public IP (both examples are shown below).

It takes longer to explain what DNS doctoring is, than it does to actually set it up. Essentially you simply add the ‘dns’ keyword to the end of the static nat statement for the internal host to its public address.

Option 1 – DNS Doctoring for a host on your LAN

This is simply a one-to-one static nat with the dns keyword added onto it, so using the example above (on the left), lets take a look at our NATs.

[box]

Petes-ASA# show run nat
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Obj-Static-128.65.98.44
 nat (inside,outside) static 128.65.98.44

[/box]

You may have a lot more output, but this tells me theres a dynamic NAT for all network traffic (PAT everything to the outside interface dynamically). And a static translation for your internal host, that’s the one we need to add the dns keyword to.

[box]

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config-network-object)# nat (inside,outside) static 128.65.98.44 dns
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: de650019 1f1583f7 70121512 e1d093e8 

15724 bytes copied in 3.430 secs (5241 bytes/sec)
[OK]
Petes-ASA(config)# 

[/box]

How Do I Set Up DNS Doctoring In The ASDM?

Testing DNS Doctoring

Heres an example of what happened before we setup DNS doctoring, (or where DNS doctoring is not working).

And once its been configured do the same and note the difference;

Option 2 – Host in the DMZ

The process is identical to above only the NAT stamens is different, i.e.

Note: I’m assuming the object host already exists, if NOT then add the line in BLUE.

[box]

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config)# host 172.16.1.1
Petes-ASA(config-network-object)# nat (DMZ,outside) static 128.65.98.44 dns

[/box]

Option 3 – Split DNS

Windows – Setting Up Split DNS

Related Articles, References, Credits, or External Links

Original Article Written 09/12/15

HP – Switches The IP (or subnet) Already Exists

KB ID 0001176 

Problem

I was changing a clients LAN subnet this week, (dropping the mask from /24 to /16). When I attempted to change the management IP on the clients HP switches this happened;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0
The IP address (or subnet) 10.0.0.250/16 already exists.
HP2510-24G(vlan-1)#

[/box]

At first I though the switch was complaining because the IP was remaining the same, I was just changing the mask, (which is a bit bobbins, but there you go).  Turns out this is normal behaviour? Yes I could have got my console cable out, and walked to the comms room and done this;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(config)#no ip address 10.0.0.250 255.255.255.0
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0 
HP2510-24G(vlan-1)#

[/box]

But that would mean getting off my lazy backside, and what if I was hundred of miles from the switch?

 

Solution

To solve the problem you need to enter the HP switch menu system, this will let you change the IP on the fly. Obviously if you change the IP, make sure you can connect to it’s old, (and new), IPs or you will lose remote management.

From CLI type ‘menu’ {Enter}, you may be asked if you want to save the config. Choose ‘Switch Configuration’.

IP Configuration.

Edit.

Use the cursor keys and navigate to the IP/Subnet mask, and change accordingly > {Enter}

Select Save > Reconnect to the new IP address.

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

Cisco Firepower Services – Change IP and DNS Addresses

KB ID 0001173 

Problem

If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?

 

Solution

Change the FirePOWER Module IP Address

Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).

[box]

Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr  7 08:11:00 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>

[/box]

To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;

[box]

> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.

[/box]

You can check its worked with a ‘show interfaces command’.

[box]

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
---------------------[ tunl0 ]----------------------
----------------------------------------------------

>

[/box]

Or you can use the ‘show interfaces {interface-name}‘ command.

[box]

> show interfaces eth0
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
IPv4 Broadcast            : 192.168.1.255
RX Packets                : 261
RX Errors                 : 0
RX Drops                  : 0
RX Overruns               : 0
RX Frame                  : 0
TX Packets                : 214
TX Errors                 : 0
TX Drops                  : 0
TX Overruns               : 0
TX Carrier                : 0
Collisions                : 0
----------------------------------------------------


[/box]

Change the FirePOWER Module IP Address

This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.

[box]

> configure network dns servers 8.8.8.8,8.8.4.4

[/box]

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

[box]

> expert

admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd…                                                     [  OK  ]

Starting nscd…                                                       [  OK  ]

admin@PETES-SFR:~$

[/box]

Related Articles, References, Credits, or External Links

Cisco FirePOWER – Adding a Static Route