Can a Local DNS Server be used across several [LAN] Networks? - Page 2

TheGoob · ‎12-20-2023

Hello

I run PiHole as a LOCAL DNS Server as well as DNS [WAN] in General. Currently my DHCP Server is handing out IP's and is also using 192.168.5.115 as DNS, as it is PiHole. With dividing up my network into vlans thus creating other Networks, can I still use 192.168.5.115 on, let's say, 192.168.2.0/192.168.3.0 etc? Port 53 will obviously be open to these Subnets. I was just curious if it would work.

TheGoob · ‎12-22-2023

Unfortunately it is a little chopped, as I have been trying everything.

Here is the running-config

: Serial Number: JAD2537040H
: Hardware:   FPR-1010, 2587 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.4.1
!
hostname FPR1010
enable password ***** encrypted
strong-encryption-disable
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto



!
interface Vlan1
 nameif inside
 security-level 0
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
 nameif fbeye
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
 nameif fhc
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan4
 nameif ceyea
 security-level 0
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
 nameif proxmox
 security-level 0
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan6
 nameif 177
 security-level 0
 ip address 192.168.6.1 255.255.255.0
!
interface Ethernet1/1
 no switchport
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 pppoe client vpdn group HomeDSL
 ip address pppoe setroute
!
interface Ethernet1/2
 switchport
 no security-level
!
interface Ethernet1/3
 switchport
 switchport access vlan 2
 no security-level
!
interface Ethernet1/4
 switchport
 switchport access vlan 3
 no security-level
!
interface Ethernet1/5
 switchport
 switchport access vlan 4
 no security-level
!
interface Ethernet1/6
 switchport
 switchport access vlan 5
 no security-level
!
interface Ethernet1/7
 switchport
 switchport access vlan 6
 power inline never
 no security-level
!
interface Ethernet1/8
 switchport
 power inline auto
 no security-level
!
interface Management1/1
 management-only
 nameif management
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 2620:119:35::35
dns server-group Google
 name-server 8.8.8.8
 name-server 1.1.1.1
 name-server 8.8.4.4
dns-group Google
no object-group-search access-control
object network fhc_lan
 subnet 192.168.2.0 255.255.255.0
object network 177_lan
 subnet 192.168.6.0 255.255.255.0
object network OMV
 host 192.168.2.181
object network any-ipv6
 subnet ::/0
object network IPv4-Private-10.0.0.0-8
 subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
 subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
 subnet 192.168.0.0 255.255.0.0
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network fbeye_lan
 subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
 host x.x.x.180
object network 177_wan
 host x.x.x.177
object network ceyea_wan
 host x.x.x.179
object network proxmox_lan
 subnet 192.168.4.0 255.255.255.0
object network fbeye_mail
 host 192.168.1.180
object network fhc_wan
 host x.x.x.181
object network ceyea_lan
 subnet 192.168.3.0 255.255.255.0
object network proxmox_wan
 host x.x.x.178
object network pihole
 host 192.168.4.115
object-group network IPv4-Private-All-RFC1918
 network-object object IPv4-Private-10.0.0.0-8
 network-object object IPv4-Private-172.16.0.0-12
 network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
 service-object ip
object-group service |acSvcg-268435466
 service-object ip
object-group service |acSvcg-268435460
 service-object tcp destination eq www
 service-object tcp destination eq https
object-group service |acSvcg-268435461
 service-object tcp destination eq 32400
object-group service |acSvcg-268435462
 service-object udp destination eq 51820
object-group service |acSvcg-268435463
 service-object tcp destination eq ssh
object-group service |acSvcg-268435464
 service-object tcp destination eq smtp
 service-object tcp destination eq 993
object-group service |acSvcg-268435465
 service-object tcp destination eq ssh
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc 177 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc ceyea any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc fbeye any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc fhc any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc proxmox any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: Inside_to__LAN
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc 177 any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc ceyea any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc fbeye any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc fhc any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc proxmox any rule-id 268435466
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: 181_NGINX_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside any ifc fhc object OMV rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: 181_Plex_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc fhc object OMV rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: 181_Wireguard_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside any ifc fhc object OMV rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: 181_SSH_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside any ifc fhc object OMV rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: 180_fbeye_Mail_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside any ifc fbeye object fbeye_mail rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: 180_fbeye_SSH_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc outside any ifc fbeye object fbeye_mail rule-id 268435465
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu inside 1500
mtu fbeye 1500
mtu fhc 1500
mtu ceyea 1500
mtu proxmox 1500
mtu 177 1500
mtu outside 1500
mtu management 1500
no failover
failover replication http
no monitor-interface inside
no monitor-interface fbeye
no monitor-interface fhc
no monitor-interface ceyea
no monitor-interface proxmox
no monitor-interface 177
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
management-interface convergence
nat (fbeye,outside) source static fbeye_lan fbeye_wan
nat (fhc,outside) source static fhc_lan fhc_wan
nat (ceyea,outside) source static ceyea_lan ceyea_wan
nat (proxmox,outside) source static proxmox_lan proxmox_wan
nat (177,outside) source static 177_lan 177_wan
!
nat (inside,outside) after-auto source dynamic any-ipv4 interface

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
ip-client fbeye
ip-client fbeye ipv6
ip-client 177
ip-client 177 ipv6
ip-client fhc
ip-client fhc ipv6
ip-client outside
ip-client outside ipv6
ip-client inside
ip-client inside ipv6
ip-client management
ip-client management ipv6
ip-client ceyea
ip-client ceyea ipv6
ip-client proxmox
ip-client proxmox ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca permit-weak-crypto
crypto ca trustpool policy
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
vpdn group HomeDSL request dialout pppoe
vpdn group HomeDSL localname [blank]
vpdn group HomeDSL ppp authentication chap
vpdn username [blank]
dhcpd auto_config outside
!
dhcpd address 192.168.1.101-192.168.1.254 fbeye
dhcpd enable fbeye
!
dhcpd address 192.168.6.101-192.168.6.254 177
dhcpd enable 177
!
dhcpd address 192.168.2.101-192.168.2.254 fhc
dhcpd enable fhc
!
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd enable inside
!
dhcpd address 192.168.3.101-192.168.3.254 ceyea
dhcpd enable ceyea
!
dhcpd address 192.168.4.101-192.168.4.254 proxmox
dhcpd enable proxmox
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
 webvpn
  anyconnect ssl dtls none
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
class-map class_snmp
 match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect xdmcp
 class class_snmp
  inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
snort multichannel-lb enable
no dp-tcp-proxy
Cryptochecksum:5cdeb97bbe81dfda703bd840809c9192
: end
>

TheGoob · ‎12-22-2023

Here are pics of NAT and ACL's.

TheGoob · ‎12-23-2023

Alright so I think I have everything right.

I changed all my [STATIC] WAN to NETWORK [vlan] NAT's from STATIC to DYNAMIC, as the Network is a whole subnet not a single 1 to 1 NAT. All 6 vlan's grab their IP and have correct WAN Address.

I added my STATIC NAT Port Forwards for my various Internal servers and put them ABOVE their associated NAT [Pat] WAN to LAN Rules; I can now access my email servers and nginx servers and such...

With the NAT, I also created the appropriate ACL's to actually be able to access the inside servers.. I have verified on various vlans/servers that I can indeed access, So so far all is great!!!

I verified my ACL was legit because for fun, I changed to BLOCK and indeed I now can not access.

My question is... I use ALLOW and not Trust, right? I assume TRUST = [More or less] YOU ARE ALL WELCOME WITHOUT INSPECTION...Whereas ALLOW requires access to be approved, as in, the Ports allowed?

MHM Cisco World · ‎12-23-2023

ALLOW meaning the traffic pass ACP and send to Snort for more inpsect

Trust the traffic pass ASP and bypass Snort and go directly without any more inspect

MHM

TheGoob · ‎12-23-2023

Well, everything works now. Local DNS, ACL's, NAT etc. Wow this is crazy I got it all working and I thak everyone.

MHM Cisco World · ‎12-24-2023

You are so so welcome Friend any time
glad your lab finish
have a nice day
MHM