Home / server / Questions / 656419
In Process
ndasusers
Asked: 2015-01-06 08:57:19 +0800 CST

Can I use ASA5505 to spoof the reply to a heartbeat request?

  • 772

I have a CISCO ASA 5505 in a home office. It has two subnet, public and private. There is a wifi belkin router on the private net, which provides wifi for some users. That belkin router sends out heartbeat notice to a pre-programmed ip address, but the packet is dropped by the ASA. I do not want the packet to go through. I prefer the Belkin be unable to phone home like that, but this belkin cannot disable the heartbeat check.

So, I wonder if I can make the ASA reply back to the the belkin hello instead?

Or maybe you can tell me how to make a forwarding setting with the ASA that can re-direct the heartbeat check to a host on the LAN by mapping the phone home IP address to the local network?

Here is the firewall drop message from the belkin in the ASA.

3 datetime 50.16.219.4 192.168.3.5 Deny inbound icmp src outside:50.16.219.4 dst inside:192.168.3.5 (type 0, code 0)

I'm comfortable with the CISCO ASDM interface, but I managed some config on the command line too.

Another internal DNS server (like this cure) is not really an option at this point.

Thank you for any advice.

cisco-asa

1 Answers

  1. Maybe the answer is yes. It is basically a hairpin NAT, attested to in Cisco page about dns doctoring.

    I tried to make this work on another firewall in a different office. Below are some configuration that seems to redirect the traffic as I desired. I made these config in the ASDM, but I am only feeling my way through. I hope an expert can help me find flaws or better ideas.

    I put extra comments to explain: 

    Result of the command: "show running-config"
...
!-- this server is monitoring the network anyway, so it is on 24/7
name 192.168.1.66 local-heartbeat.com description attempted destination for spoofed pings
!-- This is the destination that was blocked.
name 50.16.219.4 belkin.heartbeat.com description domain to redirect ping traffic
...
interface Vlan2 nameif outside security-level 0
 ip address 192.168.154.100 255.255.255.0 !-- Front IP of the firewall I working on.
...
dns server-group DefaultDNS
 name-server 192.168.250.254   !-- This is the dns in the greater office complex
 domain-name theoraffice.local

!-- I read the next one required to allow interfaces to connect in Hairpin NAT.
!-- I don't know if this is a true hairpin, because the external belkin server
!-- is actually external.
same-security-traffic permit intra-interface

!-- Rule to allow pings to belkin
...
access-list outside_access_in extended permit icmp any host belkin.heartbeat.com 
...
!-- I am behind a firewall at 1.100
icmp permit 192.168.1.100 255.255.255.252 outside
...
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
...

!-- This rule is the one that redirects the ping, when I ping with domain name.
static (outside,inside) local-heartbeat.com belkin.heartbeat.com netmask 255.255.255.255 dns 
...

    That is working when I ping to belkin.com. Example:

    [[email protected]]$ ping heartbeat.belkin.com

Pinging heartbeat.belkin.com [192.168.1.66] with 32 bytes of data:
Reply from 192.168.1.66: bytes=32 time=2ms TTL=63
Reply from 192.168.1.66: bytes=32 time=19ms TTL=63
Reply from 192.168.1.66: bytes=32 time=20ms TTL=63
Reply from 192.168.1.66: bytes=32 time=11ms TTL=63

Ping statistics for 192.168.1.66:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 20ms, Average = 13ms

    In that test, the ping came back from the local server.

    Here are config screenshots.

    Setting to allow hairpin NAT. Enable traffic between interfaces

    Allows a ping attempt to the outside heartbeat server. enter image description here

    Hairpin NAT Rule redirecting the attempt to the local host. Hairpin NAT rule

    To test it, I removed the only the hairpin NAT rule, then did ipconfig /flushdns on the windows laptop and tried to ping belkin.com. 

    [[email protected]]$ ping heartbeat.belkin.com

Pinging heartbeat.belkin.com [50.16.219.4] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 50.16.219.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Now I have two other questions.

    First, with the hairpin removed, the ping headed for belkin, and was blocked. This is good, but it surprises me. Why is it blocked, though I made the rule to allow earlier and did not change that access rule at this point?

    Second, why did this question get a downgrade?

    • 0