-2

I have a CISCO ASA 5505 in a home office. It has two subnet, public and private. There is a wifi belkin router on the private net, which provides wifi for some users. That belkin router sends out heartbeat notice to a pre-programmed ip address, but the packet is dropped by the ASA. I do not want the packet to go through. I prefer the Belkin be unable to phone home like that, but this belkin cannot disable the heartbeat check.

So, I wonder if I can make the ASA reply back to the the belkin hello instead?

Or maybe you can tell me how to make a forwarding setting with the ASA that can re-direct the heartbeat check to a host on the LAN by mapping the phone home IP address to the local network?

Here is the firewall drop message from the belkin in the ASA.

3 datetime 50.16.219.4 192.168.3.5 Deny inbound icmp src outside:50.16.219.4 dst inside:192.168.3.5 (type 0, code 0)

I'm comfortable with the CISCO ASDM interface, but I managed some config on the command line too.

Another internal DNS server (like this cure) is not really an option at this point.

Thank you for any advice.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
ndasusers
  • 427
  • 1
  • 5
  • 14
  • 1
    What is wrong with leaving the packet dropped as it is now if you don't want it to 'phone home'? Are services degraded on the router? – Travis Stoll Jan 05 '15 at 17:04
  • Service is not degraded as far as using the network. But logs accumulate, and the Belkin thinks it is offline. It has a red light, because it cannot phone home, and the wireless windows based clients show a incorrect marker in the internet icon. And, I don't know if the belkin is sending a hello packet that is reaching belkin, leading belkin to keep querying the home office ip. Does not the firewall message mean that the icmp reply is the packet being blocked? – ndasusers Jan 05 '15 at 17:18
  • No, it means that ICMP is being denied to the belkin though. If it were the reply, you should see ICMPReply being blocked. – Travis Stoll Jan 05 '15 at 17:23
  • 2
    If it were me, I wouldn't use the ASA and the router in parallel like that, especially with the Belkin behind the ASA. I would look at getting a cheap AP the Cisco WAP121, $70 solves your problem and gives you much better performance. – Travis Stoll Jan 05 '15 at 17:27
  • Thanks for the advice and insights. Do you know if it is possible to make the ASA reply back to the the belkin hello instead? Or, make a forwarding setting with the ASA that can re-direct the heartbeat check to any other host? If it is not possible, then I think the answer to this question is no. But if it is possible, I would be thankful for knowing where to look in the setup docs or ASDM interface for the settings. – ndasusers Jan 05 '15 at 17:47
  • I found a free way. Yay! – ndasusers Jan 13 '15 at 17:14

1 Answers1

0

Maybe the answer is yes. It is basically a hairpin NAT, attested to in Cisco page about dns doctoring.

I tried to make this work on another firewall in a different office. Below are some configuration that seems to redirect the traffic as I desired. I made these config in the ASDM, but I am only feeling my way through. I hope an expert can help me find flaws or better ideas.

I put extra comments to explain: 

Result of the command: "show running-config"
...
!-- this server is monitoring the network anyway, so it is on 24/7
name 192.168.1.66 local-heartbeat.com description attempted destination for spoofed pings
!-- This is the destination that was blocked.
name 50.16.219.4 belkin.heartbeat.com description domain to redirect ping traffic
...
interface Vlan2 nameif outside security-level 0
 ip address 192.168.154.100 255.255.255.0 !-- Front IP of the firewall I working on.
...
dns server-group DefaultDNS
 name-server 192.168.250.254   !-- This is the dns in the greater office complex
 domain-name theoraffice.local

!-- I read the next one required to allow interfaces to connect in Hairpin NAT.
!-- I don't know if this is a true hairpin, because the external belkin server
!-- is actually external.
same-security-traffic permit intra-interface

!-- Rule to allow pings to belkin
...
access-list outside_access_in extended permit icmp any host belkin.heartbeat.com 
...
!-- I am behind a firewall at 1.100
icmp permit 192.168.1.100 255.255.255.252 outside
...
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
...

!-- This rule is the one that redirects the ping, when I ping with domain name.
static (outside,inside) local-heartbeat.com belkin.heartbeat.com netmask 255.255.255.255 dns 
...

That is working when I ping to belkin.com. Example:

[auser@192.168.2.20]$ ping heartbeat.belkin.com

Pinging heartbeat.belkin.com [192.168.1.66] with 32 bytes of data:
Reply from 192.168.1.66: bytes=32 time=2ms TTL=63
Reply from 192.168.1.66: bytes=32 time=19ms TTL=63
Reply from 192.168.1.66: bytes=32 time=20ms TTL=63
Reply from 192.168.1.66: bytes=32 time=11ms TTL=63

Ping statistics for 192.168.1.66:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 20ms, Average = 13ms

In that test, the ping came back from the local server.

Here are config screenshots.

Setting to allow hairpin NAT. Enable traffic between interfaces

Allows a ping attempt to the outside heartbeat server. enter image description here

Hairpin NAT Rule redirecting the attempt to the local host. Hairpin NAT rule

To test it, I removed the only the hairpin NAT rule, then did ipconfig /flushdns on the windows laptop and tried to ping belkin.com. 

[auser@192.168.2.20]$ ping heartbeat.belkin.com

Pinging heartbeat.belkin.com [50.16.219.4] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 50.16.219.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now I have two other questions.

First, with the hairpin removed, the ping headed for belkin, and was blocked. This is good, but it surprises me. Why is it blocked, though I made the rule to allow earlier and did not change that access rule at this point?

Second, why did this question get a downgrade?

ndasusers
  • 427
  • 1
  • 5
  • 14