topic Re: CSR1000v DNS Issues in Network Security

CSR1000v DNS Issues

joematrix77 — Fri, 17 Mar 2023 10:23:31 GMT

I'm having issues with my networks not being able to resolve websites. I'm trying to configure DNS servers on internal segments without putting them on the public network. So basically, port forwarding ideally, I would like to have one DNS server in the DMZ resolving and one internally able to resolve URLs. I can ping outside but can't resolve website urls. 192.168.1.1 is my ISP network gateway. I'm basically asking what is "nat (inside,outside) after-auto source dynamic any interface" equivalent command on this router? Am I missing something?

Here's my current config:

ip name-server 192.168.1.1#ISP 192.168.0.83#INSIDE 10.4.43.83#DMZ

ip domain name xyz.com

interface GigabitEthernet1

ip address 192.168.1.3 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

interface GigabitEthernet2

no ip address

negotiation auto

no mop enabled

no mop sysid

interface GigabitEthernet2.43

encapsulation dot1Q 443

ip address 192.168.43.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.43.1

cdp enable

interface GigabitEthernet2.100

encapsulation dot1Q 100

ip address 192.168.0.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.0.1

cdp enable

interface GigabitEthernet3

ip address 10.1.200.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

router bgp 443

bgp router-id 192.168.43.1

bgp log-neighbor-changes

redistribute connected

neighbor 192.168.43.5 remote-as 443

neighbor 192.168.43.6 remote-as 443

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map track-primary-if interface GigabitEthernet1 overload

ip nat inside source list 1 interface GigabitEthernet2.100 overload

ip nat inside source list 43 interface GigabitEthernet2.43 overload

ip nat inside source list 100 interface GigabitEthernet2.100 overload

ip nat inside source list 143 interface GigabitEthernet2.43 overload

ip nat inside source list 144 interface GigabitEthernet2.43 overload

ip default-network 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1

ip route 10.4.43.0 255.255.255.0 GigabitEthernet2.43 192.168.43.4

ip route 192.168.0.0 255.255.255.0 GigabitEthernet2.100 192.168.0.1

ip route 192.168.43.0 255.255.255.0 GigabitEthernet2.43 192.168.43.1

ip ssh rsa keypair-name ssh-key

ip ssh version 2

ip access-list standard 1

10 permit 192.168.0.0 0.0.0.255

ip access-list standard 43

10 permit 192.168.43.0 0.0.0.255

ip access-list standard 44

10 permit 10.4.43.0 0.0.0.255

ip access-list extended 100

10 permit ip 192.168.0.0 0.0.0.255 any

20 permit tcp 192.168.0.0 0.0.0.255 eq domain any

30 permit udp 192.168.0.0 0.0.0.255 eq domain any

ip access-list extended 143

10 permit ip 192.168.43.0 0.0.0.255 any

20 permit tcp 192.168.43.0 0.0.0.255 eq domain any

30 permit udp 192.168.43.0 0.0.0.255 eq domain any

ip access-list extended 144

10 permit ip 10.4.43.0 0.0.0.255 any

20 permit tcp 10.4.43.0 0.0.0.255 eq domain any

30 permit udp 10.4.43.0 0.0.0.255 eq domain any

route-map track-primary-if permit 1

match ip address 197

set interface GigabitEthernet1

control-plane

line con 0

stopbits 1

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

ntp server us.pool.ntp.org

Re: CSR1000v DNS Issues

balaji.bandi — Thu, 16 Mar 2023 17:15:49 GMT

You should rely on Local DNS Server, Intern that local DNS Server should able to resolved both Local and FQDN.

Re: CSR1000v DNS Issues

joematrix77 — Thu, 16 Mar 2023 17:21:52 GMT

No problem I’m having is that I can’t get the traffic going

Re: CSR1000v DNS Issues

balaji.bandi — Thu, 16 Mar 2023 18:26:37 GMT

show us more what is I can’t get the traffic going

Re: CSR1000v DNS Issues

joematrix77 — Thu, 16 Mar 2023 19:02:52 GMT

Meaning is in a flat network if I have my domain controller on the inside network it can Traverse the outside and get DNS entries to be able to resolve quarries once I switched from an ASAv to the CRS that functionality just dropped

Re: CSR1000v DNS Issues

joematrix77 — Thu, 16 Mar 2023 19:29:33 GMT

Do you have any debug commands that you would like me to post? I'm just confused as to why this isn't working.

Re: CSR1000v DNS Issues

joematrix77 — Thu, 16 Mar 2023 19:33:32 GMT

192.168.0.83 is on one INSIDE LAN

10.4.43.83 is on one INSIDE LAN

192.168.1.1 is the outside router on the WAN network.

I can ping outside via ip addresses just not FQDN. I am assuming the inside DNS servers aren't receiving the port 53 request.

Re: CSR1000v DNS Issues

joematrix77 — Fri, 17 Mar 2023 10:27:02 GMT

I'm basically asking what is "nat (inside,outside) after-auto source dynamic any interface" equivalent command on this router? Am I missing something? Thank you for your help.

Re: CSR1000v DNS Issues

MHM Cisco World — Fri, 17 Mar 2023 22:35:47 GMT

ip domain lookup <<- this command need to make router run as DNS proxy

Re: CSR1000v DNS Issues

balaji.bandi — Fri, 17 Mar 2023 22:58:41 GMT

ASAv works with the same setup, and when you replace ASAv with CSR1K that not working.

When you replace with CSR1K, from DNS Server are you able to resolve the DNS ? (can you post the output ?) DNS Server what Root DNS Server is configured ?

When the Client use your DNS Server (local one)

can you post nslookup (local and FQDN resolution) what error you getting) ?

Re: CSR1000v DNS Issues

joematrix77 — Fri, 17 Mar 2023 23:38:03 GMT

I had that configured, my problem is I can ping public ip addresses but I can not open websites in a browser which I find really weird.

Re: CSR1000v DNS Issues

joematrix77 — Sat, 18 Mar 2023 00:12:11 GMT

DNS request timed out

Default Server Unknown

#do ping google.com
Pinging google.com (142.250.217.206) with 18 bytes of data:

PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout

Re: CSR1000v DNS Issues

balaji.bandi — Fri, 17 Mar 2023 23:46:37 GMT

I had that configured, my problem is I can ping public ip addresses but I can not open websites in a browser which I find really weird

That what your issue and we are dealing with - IP pings, but the Browsing side needs DNS Resolution, which is failing.

For that I have asked some information - if you can provide that information - we can do some testing to resolve it.

Let me paste again :

When you replace with CSR1K, from DNS Server are you able to resolve the DNS ? (can you post the output ?) DNS Server what Root DNS Server is configured ?

When the Client use your DNS Server (local one)

can you post nslookup (local and FQDN resolution) what error you getting) ?

DNS request timed out Default Server Unknown

This is not much use here, we are not sure what device is this getting message.

end devise post ipconfig /all Along with the information I have asked in the post.

Re: CSR1000v DNS Issues

tarmahmood1 — Tue, 28 Mar 2023 08:27:11 GMT

I am not sure if you can relate with your problem, but yesterday i had somehow similiar issue DNS was not resolving. So i removed the config from my interfaces for umbrella DNS, and it got resolved. I am suspecting software bug. Cisco IOS XE Software, Version 16.12.01a.

Before i had same, can ping IPs but not able to reach using FQDN.

interface GigabitEthernet2
no umbrella in Azure
!

interface Tunnel100
no umbrella in iWAN
!