Can I use ASA5505 to spoof the reply to a heartbeat request?

I have a CISCO ASA 5505 in a home office. It has two subnet, public and private. There is a wifi belkin router on the private net, which provides wifi for some users. That belkin router sends out heartbeat notice to a pre-programmed ip address, but the packet is dropped by the ASA. I do not want the packet to go through. I prefer the Belkin be unable to phone home like that, but this belkin cannot disable the heartbeat check.

So, I wonder if I can make the ASA reply back to the the belkin hello instead?

Or maybe you can tell me how to make a forwarding setting with the ASA that can re-direct the heartbeat check to a host on the LAN by mapping the phone home IP address to the local network?

Here is the firewall drop message from the belkin in the ASA.

3 datetime Deny inbound icmp src outside: dst inside: (type 0, code 0)

I’m comfortable with the CISCO ASDM interface, but I managed some config on the command line too.

Another internal DNS server (like this cure) is not really an option at this point.

Thank you for any advice.


Maybe the answer is yes. It is basically a hairpin NAT, attested to in Cisco page about dns doctoring.

I tried to make this work on another firewall in a different office. Below are some configuration that seems to redirect the traffic as I desired. I made these config in the ASDM, but I am only feeling my way through. I hope an expert can help me find flaws or better ideas.

I put extra comments to explain:

Result of the command: "show running-config"
!-- this server is monitoring the network anyway, so it is on 24/7
name description attempted destination for spoofed pings
!-- This is the destination that was blocked.
name description domain to redirect ping traffic
interface Vlan2 nameif outside security-level 0
 ip address !-- Front IP of the firewall I working on.
dns server-group DefaultDNS
 name-server   !-- This is the dns in the greater office complex
 domain-name theoraffice.local

!-- I read the next one required to allow interfaces to connect in Hairpin NAT.
!-- I don't know if this is a true hairpin, because the external belkin server
!-- is actually external.
same-security-traffic permit intra-interface

!-- Rule to allow pings to belkin
access-list outside_access_in extended permit icmp any host 
!-- I am behind a firewall at 1.100
icmp permit outside
global (outside) 1 interface
nat (inside) 1

!-- This rule is the one that redirects the ping, when I ping with domain name.
static (outside,inside) netmask dns 

That is working when I ping to Example:

[auser@]$ ping

Pinging [] with 32 bytes of data:
Reply from bytes=32 time=2ms TTL=63
Reply from bytes=32 time=19ms TTL=63
Reply from bytes=32 time=20ms TTL=63
Reply from bytes=32 time=11ms TTL=63

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 20ms, Average = 13ms

In that test, the ping came back from the local server.

Here are config screenshots.

Setting to allow hairpin NAT.
Enable traffic between interfaces

Allows a ping attempt to the outside heartbeat server.
enter image description here

Hairpin NAT Rule redirecting the attempt to the local host.
Hairpin NAT rule

To test it, I removed the only the hairpin NAT rule, then did ipconfig /flushdns on the windows laptop and tried to ping

[auser@]$ ping

Pinging [] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now I have two other questions.

First, with the hairpin removed, the ping headed for belkin, and was blocked. This is good, but it surprises me. Why is it blocked, though I made the rule to allow earlier and did not change that access rule at this point?

Second, why did this question get a downgrade?

Source : Link , Question Author : ndasusers , Answer Author : ndasusers

Leave a Comment