{"_id":"57f2b3854d533b0e007231a2","__v":1,"parentDoc":null,"project":"56a938852036420d002d23a0","user":"560b40145148ba0d009bd0b5","version":{"_id":"56a938852036420d002d23a3","__v":1,"project":"56a938852036420d002d23a0","createdAt":"2016-01-27T21:37:09.719Z","releaseDate":"2016-01-27T21:37:09.719Z","categories":["56a938862036420d002d23a4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"56a938862036420d002d23a4","version":"56a938852036420d002d23a3","__v":3,"pages":["56a938872036420d002d23a6","56abf9759327b30d00f7c2a5","56afa3529ca3b20d0017571a"],"project":"56a938852036420d002d23a0","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-01-27T21:37:10.291Z","from_sync":false,"order":0,"slug":"documentation","title":"Documentation"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-10-03T19:37:41.334Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":4,"body":"## Introduction \n\nAs the administrator of Cisco Adaptive Security Appliance (ASA), you are able to connect to the free and fast Cisco Umbrella global network DNS service which offers you visibility into all internet traffic originating from your ASA, and result in a faster internet experience for your users. If you then want to add an additional layer of DNS security to your ASA, the easy-to-establish connection to Cisco Umbrella enables you to access our free trial—which you can setup (by yourself) in less than five minutes. \n\n## Using the Cisco Umbrella global network's DNS Services\n\nUmbrella's global DNS network (previously OpenDNS) provides access to a leader in network security and DNS services, enabling the world to connect to the Internet with confidence on any device, anywhere, anytime. The Umbrella cloud-delivered network security service blocks command & control callbacks, malware, and phishing from compromising systems and exfiltrating data over any port, protocol, or app. We apply statistical models to real-time and historical DNS data to predict domains that are likely malicious and could be used in future attacks. Umbrella protects all devices globally without hardware to install or software to maintain. Cisco has data centers across all regions of the world to ensure that the first hop to the service is as fast as possible.\n\nThis document covers how to configure the Cisco Adaptive Security Appliance (ASA) to use the Umbrella IP addresses of 208.67.222.222 and 208.67.220.220. \n\nAdditionally, if you are using a DNS forwarder as the primary DNS server for your network, this document covers how to update Windows 2003 Server, Windows 2008 Server, Windows 2012 Server or BIND Server to use Umbrella's DNS.\n\nOnce you’ve configured your Cisco infrastructure to point to Umbrella, you can sign up for either a free premium DNS account or a free 14-day trial of Umbrella.\n\n**Free Premium DNS:**\nWe offer a free, fast recursive DNS service which gives you [visibility into all of your Internet traffic originating from your ASA device](https://store.opendns.com/premiumdns/?utm_source=asa&utm_medium=ciscopartner&utm_campaign=asa-guide-free-trial-home).\n\n**Free Umbrella 14-Day Trial:**\nIf you want to add an additional layer of DNS security to your ASA, try our free trial—you can set it up yourself in less than five minutes. Sign up at umbrellla.com today!\n\n## Setting up Umbrella for a Cisco Network\n\nTraditionally there are several places where a network administrator might change public recursive DNS settings to use Umbrella, but exactly where the change is made depends on the network configuration.\n\n>**Note:** If you’re not certain whether you have a DNS forwarder on your ASA or DNS server, the best way to determine what needs to be changed is to see what device is being used as the DNS server for client workstations that are receiving DHCP from the network. This information is typically in the DNS section of the network adapter settings on the client workstation.\n\nIn smaller networks, such a home or guest network, there are no internal resources that require a DNS server be configured for the network. In that case, changing the DNS Server settings on the gateway appliance (an ASA in this case) from another DNS server to Umbrella is all that is required. The Umbrella IPs may be distributed via DHCP to the endpoint clients to use to resolve web addresses directly, or the gateway router or access point can act as a forwarder and the IP of the router is then the DNS server address for the clients. In a network like this, the instructions for How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server are applicable.\n\nMost mid-to-large size networks use a DNS forwarder on a DNS server. Typically this is a server running Windows Server with DNS services installed, or a server running BIND. The DNS server resolves requests to internal resources, such as file shares or printers. The DNS forwarder forwards any requests for zones not hosted on the DNS server to Umbrella. Umbrella resolves the domain to an IP and returns that information to the DNS forwarder.\n\nInstructions to update your DNS forwarder to use Umbrella for Windows Server 2003, 2008, 2012 and BIND can be found in the Configuring your DNS Forwarder for Umbrella section of this document.\n\n\n### How to configure DNS client services on the Cisco Adaptive Security Appliance\n\n**Note:** If the ASA needs to resolve internal DNS then it must use internal DNS servers. In this scenario, the internal DNS servers are configured to use Umbrella as their DNS forwarders.\n\nExample Configuration\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"hostname(config)# dns domain-lookup inside\\nhostname(config)# dns server-group Umbrella \\nhostname(config-dns-server-group)# name-server 208.67.222.222 208.67.220.220\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nFor more information on DNS configuration, see [Configuring the DNS Server](http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/\nguide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248).\n\n### How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server\n\nExample Configuration\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"hostname(config)# dhcpd dns 208.67.222.222 208.67.220.220\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nFor more information on DHCP configuration, see [Enabling the DHCP Server](http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/\nconfiguration/guide/asa_90_cli_config/basic_dhcp.html#pgfId-1251512).\n\n## Configuring your DNS forwarder for Umbrella \n\nEven with a Cisco device in place at the gateway or egress, DNS for networks is often handled by DNS forwarders installed on DNS servers within the network environment. A DNS forwarder is a DNS server on a network that forwards DNS queries for external domain names to the Umbrella servers. A DNS server on a network is designated as a forwarder when the other DNS servers in the network are configured to forward the queries that they cannot resolve locally to that DNS server.\n\nThe following instructions cover how to configure your DNS forwarder to use the Umbrella  public DNS servers for BIND and Windows Server 2003, 2008 and 2012.\n\n### Windows Server 2003 and 2003 R2\n\n1. From the Start menu, navigate to Administrative Tools > DNS.\n2. Choose the DNS server you want to edit.\n3. Select Forwarders.\n4. Select All Other DNS domains in the DNS domains list.\n5. Add Umbrella IP addresses to the selected server’s forwarder IP address list.\n\nPlease write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.\n\nUmbrella's addresses are 208.67.222.222 and 208.67.220.220.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ZrilPe7Rxe494r9gDw8X_2003-server.png\",\n        \"2003-server.png\",\n        \"450\",\n        \"372\",\n        \"#fa7626\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n6. Click **OK** to confirm the changes.\n\nWe recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take\nimmediate effect.\n\n### Windows Server 2008 and 2008 R2\n1. From the Start menu, navigate to Administrative Tools > DNS.\n2. Choose the DNS server you want to edit.\n3. Select Forwarders.\n4. Click **Edit**.\n5. Add Umbrella addresses in the selected server’s forwarder IP address list.\n\nPlease write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.\nUmbrella's addresses are 208.67.222.222 and 208.67.220.220.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/gbYKtCMQwSoqrwFsbNGu_2008.png\",\n        \"2008.png\",\n        \"695\",\n        \"217\",\n        \"#3d4f75\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n6. Click **OK**.\n7. Click **OK** again to confirm the changes.\n\nWe recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take immediate effect.\n\n### Windows Server 2012 and 2012 R2\n1. In the Start menu, type DNS into Search.\n2. Select DNS from the search results.\n3. Choose the DNS server you want to edit.\n4. Select Forwarders.\n5. Click **Edit**.\n6. Add Umbrella addresses to the selected server’s forwarder IP address list.\n\nPlease write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.\n\nUmbrella's addresses are 208.67.222.222 and 208.67.220.220. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/29r8c3dRNCSnJ7a7xDQa_2012.png\",\n        \"2012.png\",\n        \"538\",\n        \"448\",\n        \"#689456\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n7. Click **OK**.\n8. Click **OK** again to confirm the changes\n\n### BIND-based DNS server: Configure BIND to use Umbrella via the shell and Webmin\n\nTo point your BIND-based DNS server to use Umbrella resolvers for external resolution you need to modify the file named.conf.options and add the Umbrella resolvers as forwarders.\nThis can be done in one of two ways:\n\n• Via the command line, Shell\\SSH\n• Via a GUI if you have Webmin installed on your BIND server\n\n*Shell\\SSH Instructions*\n1. Connect directly to your server or SSH to it.\n2. Go into /etc/bind.\n*Note:* this is the default location, so you may need to change this based on your configuration.\n3. Edit named.conf.options in your favorite text editor.\n4. Click **Edit**.\n5. In named.conf.options, look for a line that starts with forwarders {\nIf the forwarders are already configured then just change the current resolver IPs to Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220. If the line starting with \"forwarders {\" isn’t there, you can add it right above the last };\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"forwarders {\\n208.67.222.222;\\n208.67.220.220;\\n};\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n6. Save the file to confirm your changes.\n\n*Webmin Instructions*\n\nThese steps produce a result that is the exact same as the above, except that the Webmin GUI will modify the file named.conf.options for you.\n\n1. Log into Webmin.\n2. Navigate to **Servers > BIND DNS Server**.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/LdxwavUaQL2xLGGrLE3u_webmin1.png\",\n        \"webmin1.png\",\n        \"382\",\n        \"130\",\n        \"#3a3e77\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n3. Choose **Forwarding and Transfers**.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/01h16V8CR9qguufUYWPq_webmin2.png\",\n        \"webmin2.png\",\n        \"368\",\n        \"140\",\n        \"#5f60a1\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n4. Add Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220, under the **Servers to forward queries to** section:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/PVeZm3JQTKC28p6ThORu_webmin3.png\",\n        \"webmin3.png\",\n        \"907\",\n        \"262\",\n        \"#4b78b9\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\n5. Click **Save** to confirm the changes.\n\n\n---\n[Meraki Cloud-Managed Networks – Solution Guide for Umbrella](https://docs.umbrella.com/product/hardware/meraki-cloud-managed-networks-umbrella-solution-guide/) < **Integration for ASA – Solution Guide for Umbrella**","excerpt":"","slug":"cisco-adaptive-security-appliance-asa-solution-guide-for-umbrella","type":"basic","title":"Integration for ASA – Solution Guide for Umbrella"}

Integration for ASA – Solution Guide for Umbrella


## Introduction As the administrator of Cisco Adaptive Security Appliance (ASA), you are able to connect to the free and fast Cisco Umbrella global network DNS service which offers you visibility into all internet traffic originating from your ASA, and result in a faster internet experience for your users. If you then want to add an additional layer of DNS security to your ASA, the easy-to-establish connection to Cisco Umbrella enables you to access our free trial—which you can setup (by yourself) in less than five minutes. ## Using the Cisco Umbrella global network's DNS Services Umbrella's global DNS network (previously OpenDNS) provides access to a leader in network security and DNS services, enabling the world to connect to the Internet with confidence on any device, anywhere, anytime. The Umbrella cloud-delivered network security service blocks command & control callbacks, malware, and phishing from compromising systems and exfiltrating data over any port, protocol, or app. We apply statistical models to real-time and historical DNS data to predict domains that are likely malicious and could be used in future attacks. Umbrella protects all devices globally without hardware to install or software to maintain. Cisco has data centers across all regions of the world to ensure that the first hop to the service is as fast as possible. This document covers how to configure the Cisco Adaptive Security Appliance (ASA) to use the Umbrella IP addresses of 208.67.222.222 and 208.67.220.220. Additionally, if you are using a DNS forwarder as the primary DNS server for your network, this document covers how to update Windows 2003 Server, Windows 2008 Server, Windows 2012 Server or BIND Server to use Umbrella's DNS. Once you’ve configured your Cisco infrastructure to point to Umbrella, you can sign up for either a free premium DNS account or a free 14-day trial of Umbrella. **Free Premium DNS:** We offer a free, fast recursive DNS service which gives you [visibility into all of your Internet traffic originating from your ASA device](https://store.opendns.com/premiumdns/?utm_source=asa&utm_medium=ciscopartner&utm_campaign=asa-guide-free-trial-home). **Free Umbrella 14-Day Trial:** If you want to add an additional layer of DNS security to your ASA, try our free trial—you can set it up yourself in less than five minutes. Sign up at umbrellla.com today! ## Setting up Umbrella for a Cisco Network Traditionally there are several places where a network administrator might change public recursive DNS settings to use Umbrella, but exactly where the change is made depends on the network configuration. >**Note:** If you’re not certain whether you have a DNS forwarder on your ASA or DNS server, the best way to determine what needs to be changed is to see what device is being used as the DNS server for client workstations that are receiving DHCP from the network. This information is typically in the DNS section of the network adapter settings on the client workstation. In smaller networks, such a home or guest network, there are no internal resources that require a DNS server be configured for the network. In that case, changing the DNS Server settings on the gateway appliance (an ASA in this case) from another DNS server to Umbrella is all that is required. The Umbrella IPs may be distributed via DHCP to the endpoint clients to use to resolve web addresses directly, or the gateway router or access point can act as a forwarder and the IP of the router is then the DNS server address for the clients. In a network like this, the instructions for How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server are applicable. Most mid-to-large size networks use a DNS forwarder on a DNS server. Typically this is a server running Windows Server with DNS services installed, or a server running BIND. The DNS server resolves requests to internal resources, such as file shares or printers. The DNS forwarder forwards any requests for zones not hosted on the DNS server to Umbrella. Umbrella resolves the domain to an IP and returns that information to the DNS forwarder. Instructions to update your DNS forwarder to use Umbrella for Windows Server 2003, 2008, 2012 and BIND can be found in the Configuring your DNS Forwarder for Umbrella section of this document. ### How to configure DNS client services on the Cisco Adaptive Security Appliance **Note:** If the ASA needs to resolve internal DNS then it must use internal DNS servers. In this scenario, the internal DNS servers are configured to use Umbrella as their DNS forwarders. Example Configuration [block:code] { "codes": [ { "code": "hostname(config)# dns domain-lookup inside\nhostname(config)# dns server-group Umbrella \nhostname(config-dns-server-group)# name-server 208.67.222.222 208.67.220.220", "language": "text" } ] } [/block] For more information on DNS configuration, see [Configuring the DNS Server](http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/ guide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248). ### How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server Example Configuration [block:code] { "codes": [ { "code": "hostname(config)# dhcpd dns 208.67.222.222 208.67.220.220", "language": "text" } ] } [/block] For more information on DHCP configuration, see [Enabling the DHCP Server](http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/ configuration/guide/asa_90_cli_config/basic_dhcp.html#pgfId-1251512). ## Configuring your DNS forwarder for Umbrella Even with a Cisco device in place at the gateway or egress, DNS for networks is often handled by DNS forwarders installed on DNS servers within the network environment. A DNS forwarder is a DNS server on a network that forwards DNS queries for external domain names to the Umbrella servers. A DNS server on a network is designated as a forwarder when the other DNS servers in the network are configured to forward the queries that they cannot resolve locally to that DNS server. The following instructions cover how to configure your DNS forwarder to use the Umbrella public DNS servers for BIND and Windows Server 2003, 2008 and 2012. ### Windows Server 2003 and 2003 R2 1. From the Start menu, navigate to Administrative Tools > DNS. 2. Choose the DNS server you want to edit. 3. Select Forwarders. 4. Select All Other DNS domains in the DNS domains list. 5. Add Umbrella IP addresses to the selected server’s forwarder IP address list. Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason. Umbrella's addresses are 208.67.222.222 and 208.67.220.220. [block:image] { "images": [ { "image": [ "https://files.readme.io/ZrilPe7Rxe494r9gDw8X_2003-server.png", "2003-server.png", "450", "372", "#fa7626", "" ] } ] } [/block] 6. Click **OK** to confirm the changes. We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take immediate effect. ### Windows Server 2008 and 2008 R2 1. From the Start menu, navigate to Administrative Tools > DNS. 2. Choose the DNS server you want to edit. 3. Select Forwarders. 4. Click **Edit**. 5. Add Umbrella addresses in the selected server’s forwarder IP address list. Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason. Umbrella's addresses are 208.67.222.222 and 208.67.220.220. [block:image] { "images": [ { "image": [ "https://files.readme.io/gbYKtCMQwSoqrwFsbNGu_2008.png", "2008.png", "695", "217", "#3d4f75", "" ] } ] } [/block] 6. Click **OK**. 7. Click **OK** again to confirm the changes. We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take immediate effect. ### Windows Server 2012 and 2012 R2 1. In the Start menu, type DNS into Search. 2. Select DNS from the search results. 3. Choose the DNS server you want to edit. 4. Select Forwarders. 5. Click **Edit**. 6. Add Umbrella addresses to the selected server’s forwarder IP address list. Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason. Umbrella's addresses are 208.67.222.222 and 208.67.220.220. [block:image] { "images": [ { "image": [ "https://files.readme.io/29r8c3dRNCSnJ7a7xDQa_2012.png", "2012.png", "538", "448", "#689456", "" ] } ] } [/block] 7. Click **OK**. 8. Click **OK** again to confirm the changes ### BIND-based DNS server: Configure BIND to use Umbrella via the shell and Webmin To point your BIND-based DNS server to use Umbrella resolvers for external resolution you need to modify the file named.conf.options and add the Umbrella resolvers as forwarders. This can be done in one of two ways: • Via the command line, Shell\SSH • Via a GUI if you have Webmin installed on your BIND server *Shell\SSH Instructions* 1. Connect directly to your server or SSH to it. 2. Go into /etc/bind. *Note:* this is the default location, so you may need to change this based on your configuration. 3. Edit named.conf.options in your favorite text editor. 4. Click **Edit**. 5. In named.conf.options, look for a line that starts with forwarders { If the forwarders are already configured then just change the current resolver IPs to Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220. If the line starting with "forwarders {" isn’t there, you can add it right above the last }; [block:code] { "codes": [ { "code": "forwarders {\n208.67.222.222;\n208.67.220.220;\n};", "language": "text" } ] } [/block] 6. Save the file to confirm your changes. *Webmin Instructions* These steps produce a result that is the exact same as the above, except that the Webmin GUI will modify the file named.conf.options for you. 1. Log into Webmin. 2. Navigate to **Servers > BIND DNS Server**. [block:image] { "images": [ { "image": [ "https://files.readme.io/LdxwavUaQL2xLGGrLE3u_webmin1.png", "webmin1.png", "382", "130", "#3a3e77", "" ] } ] } [/block] 3. Choose **Forwarding and Transfers**. [block:image] { "images": [ { "image": [ "https://files.readme.io/01h16V8CR9qguufUYWPq_webmin2.png", "webmin2.png", "368", "140", "#5f60a1", "" ] } ] } [/block] 4. Add Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220, under the **Servers to forward queries to** section: [block:image] { "images": [ { "image": [ "https://files.readme.io/PVeZm3JQTKC28p6ThORu_webmin3.png", "webmin3.png", "907", "262", "#4b78b9", "" ] } ] } [/block] 5. Click **Save** to confirm the changes. --- [Meraki Cloud-Managed Networks – Solution Guide for Umbrella](https://docs.umbrella.com/product/hardware/meraki-cloud-managed-networks-umbrella-solution-guide/) < **Integration for ASA – Solution Guide for Umbrella**