Solved

Additional DNS entries (Domain Name System) will need to be added to your company’s network firewall. The IP address ranges are:

Posted on 2010-08-27
8
337 Views
Last Modified: 2012-05-10
Hello Cisco Pros. I wish I could give you 1000 points for this one. I need to know how to do this.
We have an ASA Fwall IOS ver 7.

We got this email.


We will be adding additional IP (Internet Protocol) addresses. Additional DNS entries (Domain Name System) will need to be added to your company’s network firewall. The IP address ranges are:
 
IP Address Range using CIDR Notation
190.162.0.0/16
IP Address with Subnet Mask
178.162.0.0 / 255.255.0.0

How do I actually do this? GUI, CLI?
0
Comment
Question by:chico123
  • 4
  • 4
8 Comments
 
LVL 10

Expert Comment

by:qbakies
Comment Utility
Is your ASA providing DHCP for your LAN?  Are you sure you need to do this the way you are using your FW?  Posting your config will help too.
0
 

Author Comment

by:chico123
Comment Utility
gbakies, Our DHCP is our Windows 08 Server.
here's our config.

ASA Version 7.0(8)

hostname MyFwall
domain-name default.domain1
enable password 2mK87k78.2KtIU encrypted
passwd LFt9OiSiTk80 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 75.72.65.186 255.255.255.252
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 85.96.100.272 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
access-list Internet extended permit tcp any host 85.96.100.272 eq www
access-list Internet extended permit tcp any host 85.96.100.272 eq smtp
access-list Internet extended permit icmp any host 85.96.100.272
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq 135
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq 136
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq 137
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq 138
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq netbios-ssn
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq 134
access-list DMZ extended permit udp host 85.96.100.272 10.1.2.0 255.255.0.0 eq domain
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq www
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq smtp
access-list DMZ extended permit tcp host 85.96.100.272 10.1.2.0 255.255.0.0 eq https
access-list inside_nat0_outbound extended permit ip any 10.1.2.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip any 10.1.2.192 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool ClientVPNPool 10.1.2.200-10.20.0.215 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.2.0 255.255.255.0
access-group Internet in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy default.domain1 internal
group-policy default.domain1 attributes
 wins-server value 10.20.0.253
 dns-server value 10.20.0.253
 default-domain value default.domain1
 webvpn
username intuser password Jq3Tam6E8wjdOMin encrypted privilege 15
username rmcne password xyH0logYzUXYGkm1T encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds
28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte
s 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group default.domain1 type ipsec-ra
tunnel-group default.domain1 general-attributes
 address-pool ClientVPNPool
 default-group-policy default.domain1
tunnel-group default.domain1 ipsec-attributes
 pre-shared-key $
telnet 10.0.0.0 255.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:636d8130c0eckt9830840234eca5f330
: end
default.domain1FW#
0
 
LVL 10

Expert Comment

by:qbakies
Comment Utility
Did this letter come from your ISP?  There are no DNS entries in your config currently except for the DNS you hand out to VPN clients (dns-server value 10.20.0.253).  Since you don't use your ASA as a DHCP server this makes sense as DNS on a firewall only works for the firewall itself.  You shouldn't need to do anything to your firewall but to be clear can you explain your physical setup?  What is connected to the other end of your outside and inside interfaces?
0
 

Author Comment

by:chico123
Comment Utility
The letter came from one of the agencies we submit students reports to.
1.) E0/0 we use it as an inside int.
2.) E0/1 is our outside int to Verizon.
3.) E0/2 is a dmz to our exchange server.

If I have to get it done, how would I do it? add the entries.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 10

Expert Comment

by:qbakies
Comment Utility
Adding DNS entries is easy.  If you want to add a DNS server you use:

dns name-server <SERVER IP>

BUT, that letter you are posting above makes no real sense.  Is it verbatim?  It looks very suspicious:

We will be adding additional IP (Internet Protocol) addresses.
Additional DNS entries (Domain Name System) will need to be added to your company’s network firewall. <-- Why do you have to add additional DNS servers to your equipment to handle an expansion of their IP range?

The IP address ranges are: <-- If they want you to add additional DNS servers why are they giving you IP ranges?
 
IP Address Range using CIDR Notation
190.162.0.0/16  
IP Address with Subnet Mask
178.162.0.0 / 255.255.0.0 <-- This is different than the IP range above, not long form notation.

If it were me I would call the agency and see if this is legitimate and what you actually need to do.  From what I can see this letter should  be strictly informational for you as DNS servers have nothing to do with an expansion of their public IP range.
0
 

Author Comment

by:chico123
Comment Utility
gbakies, I edited the real IP's the ones you see there, are just examples.
Here's the real IP.

IP Address Range using CIDR Notation
170.146.0.0/16
IP Address with Subnet Mask
170.146.0.0 / 255.255.0.0


And the email we got is 100% real, and from a trusted site.

Here's another part of the email.

If you have modified your firewall to restrict outbound IP access, you will need to update the firewall to enable connectivity to these new IP address ranges.
 
If there are no IP restrictions employed, no additional action is required.  
 
Note: This new IP address range must be configured prior to September 8th, 2010.
 
0
 
LVL 10

Accepted Solution

by:
qbakies earned 500 total points
Comment Utility
Ah, ok that makes a lot more sense.  

"If you have modified your firewall to restrict outbound IP access, you will need to update the firewall to enable connectivity to these new IP address ranges.  If there are no IP restrictions employed, no additional action is required."

According to your config you don't restrict any outbound traffic so this letter is just informational in your case.  There is no need to add any DNS servers to your config.
0
 

Author Closing Comment

by:chico123
Comment Utility
Reason to close it is because I couldn't find the answer.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now