Enabling DNS Lookups on Cisco Devices

KB ID 0000969 

Problem

For the most part, devices are more concerned with IP and MAC addresses, but the devices do have the ability to translate those IP addresses using DNS.

Solution

How to Enable DNS Lookups on Cisco ASA5500

As ASA is ‘My Thing’ I will start with that.

1. Connect to the ASA, log in and go to enable mode, and then global configuration mode.

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: **********
PetesASA# configure terminal

[/box]

2. Now if you have corporate DNS server on your LAN you might prefer to use those, so you would use ‘inside’ as opposed to ‘outside’. (Note: Your interfaces might not have these names, let common sense prevail).

[box]

PetesASA(config)# dns domain-lookup outside

[/box]

3. There are two ways to specify the actual DNS servers I’ll show both, though I suggest in future versions, only the second way will work!

[box]

The Original Way

PetesASA(config)# dns name-server 4.2.2.2 8.8.8.8
PetesASA(config)# exit
The New Way

PeteASA(config)# dns server-group DefaultDNS
PeteASA(config-dns-server-group)# name-server 4.2.2.2
PeteASA(config-dns-server-group)# name-server 8.8.8.8
PeteASA(config-dns-server-group)# exit

[/box]

4. To test it, simply ping a hostname and see if it works.

[box]

PetesASA# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.194.34.83, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
PetesASA#
[/box]

5. Save the changes.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: ac21d44c 109662c4 66495572 e5a106c7

49756 bytes copied in 3.540 secs (16585 bytes/sec)
[OK]
PetesASA#

[/box]

 

How to Enable DNS Lookups on Cisco IOS Device

Below I’ll setup DNS lookups on a Cisco Router, but the process is the same for a Catalyst switch.

1. Connect to the device, log in and go to enable mode, and then global configuration mode. By default DNS lookups are enabled, (you would disable with a no ip domain-lookup command). But let’s make sure.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#ip domain-lookup

[/box]

2. Now specify the DNS server you want to use.

[box]

PetesRouter(config)#ip name-server 4.2.2.2
PetesRouter(config)#ip name-server 8.8.8.8
PetesRouter(config)#exit
PetesRouter#
*Jul 17 18:17:26.099: %SYS-5-CONFIG_I: Configured from console by console

[/box]

3. To test it, simply ping a hostname and see if it works.

[box]

PetesRouter#ping www.google.com 

 

Translating "www.google.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.194.34.84, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms

[/box]

4. Save the changes.

[box]

PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco Firewalls Changing the Web Management Port

Cisco 5500 Changing the ASDM Port
Unable to Port Forward HTTPS

KB ID 0000268

Problem

You want to change the port that the Cisco ASDM runs over, or you are attempting to port forward https/ssl and see the following error

Error:
ERROR: unable to reserve port 443 for static PAT
ERROR: unable to download policy

You are trying to port forward (Create a static PAT entry) on a Cisco ASA for port 443 / https. This port is in use by the ASDM.

Solution

Change the Cisco ASA ASDM Port via Command Line

Connect to the ASA via command line. (In the following example I’ll change the ASDM to use TCP port 2456).

code?

Change the Cisco ASA ASDM Port via ASDM

1. Connect to the the Cisco ASDM > Configuration > Device Management > Management access > ASDM/HTTPS/Telnet/SSH > http Settings > Port Number > Change accordingly > Apply.

2. Save the new config > File > “Save Running Configuration to flash”.

Cisco PIX (Version 6) Firewalls – Disable Web Management

If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Original Article Written 25/03/11

Cisco ASA5500 Change the AnyConnect Port

KB ID 0000422 

Problem

AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.

Why you would NOT want to do this.

Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.

Solution

Assuming you accept the potential problems and want to swap the port over then do the following.

Via Command Line

1. Connect to the ASA via Telnet, SSH or Console Cable.

2. Log in and go to “configure terminal” mode.

[box]

PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)#

[/box]

3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).

[box]

PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#

[/box]

4. Save the changes with a write mem command.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948

9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#

[/box]

Via ASDM

1. Connect to the ASDM.

2. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection profiles.

3. You will need to un-tick the allow access on the outside option, then change the port, then re-tick to allow access, then click Apply.

Update 01/10/12

4. When done, click File > Save Running configuration to flash, to save the changes.

BE AWARE

Your clients would now need to connect to the portal on,

https://{name or IP address}:444

Or if using the client software, they will need to tag the port number on the end like so,

Related Articles, References, Credits, or External Links

Changing the ASDM Port