03-13-2018 10:25 AM - edited 03-01-2019 06:27 PM
Hi all,
I got an issue with a Cisco ISR 4331, it has been configured to work as a DNS for some small network with other network devices (Nexus, Catalyst and others), but the name resolution is not working properly. When I use the resolution form the Nexus devices, it work fine, but from the catalyst it does not work.
My DNS configuration in the 4331 is this:
ip host TEST1 10.10.10.1 ip host TEST2 10.10.10.2 ip host TEST ns NS1.TEST ip host TEST ns ns.TEST ip host ns.TEST 1.1.1.1 <- Router IP ip domain name TEST ip dns server ip dns primary TEST soa ns.TEST admin@TEST 86400 3600 1209600 86400
The Nexus has this line:
ip domain-name TEST ip name-server 1.1.1.1
And the Catalyst this one:
ip domain-name TEST ip name-server 1.1.1.1
From the Nexus I got:
NEXUS# ping TEST1 PING APIC-1 (10.10.10.1): 56 data bytes 64 bytes from 172.28.36.1: icmp_seq=0 ttl=63 time=1.49 ms 64 bytes from 172.28.36.1: icmp_seq=1 ttl=63 time=0.569 ms
But from the catalyst the output is:
CATALYST#ping TEST1 Translating "TEST1"...domain server (1.1.1.1) % Unrecognized host or address, or protocol not running.
Is there something i am doing wrong with this configuration? Does anyone has an ISR working ok as DNS? Any help will be appreciated.
03-02-2022 12:06 AM
Hi,
Did you ever find a solution to this problem as I also have the same issue. Thanks.
03-02-2022 12:53 AM
Hello,
you are running into this on a Catalyst switch, a Nexus, or an ISR router ?
03-02-2022 01:28 AM
Hi Georg,
Thank you for your quick reply.
I discovered that my NAT was not configured properly in that I had "ip nat outside" configured on the wrong interface. After adding "ip nat outside" to interface GigabitEhternet0/0/0 in the config it started working. I do not understand why this is the case because I thought the correct outside interface is the Dialer1. Please see config below.
In addition, I now have the problem whereby when I ping a domain that is pointing to my public IP address, the ping returns the internal IP address of the router on the inside interface (being 10.0.0.1) instead of the external IP. When pinging sip.aus.co it should be returning ipv4: 203.194.xx.xxx.
I use the domain sip.aus.co for my ITSP to locate my equipment.
eg:
[From Router]
ISR4331#ping sip.aus.co
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
[From PC returns IP address of PC]
C:\Users\CO>ping sip.aus.co
Pinging sip.aus.co [10.0.0.110] with 32 bytes of data:
Reply from 10.0.0.110: bytes=32 time<1ms TTL=128
Reply from 10.0.0.110: bytes=32 time<1ms TTL=128
Reply from 10.0.0.110: bytes=32 time<1ms TTL=128
Reply from 10.0.0.110: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.110:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
=============CONFIG============
!
ip name-server 8.8.8.8
ip domain lookup source-interface GigabitEthernet0/0/1
ip domain name isr4331.local
ip dhcp excluded-address 10.0.0.1 10.0.0.99
!
ip dhcp pool data
import all
network 10.0.0.0 255.255.255.0
dns-server 8.8.8.8 1.1.1.1
default-router 10.0.0.1
option 150 ip 10.0.0.1
domain-name isr4331.local
===//====
interface GigabitEthernet0/0/0
description Arris CM8200 NBN
no ip address
ip nat outside ! <--- I added this here
media-type rj45
negotiation auto
no mop enabled
!
interface GigabitEthernet0/0/0.2
description WAN Connection VLAN 2 TPG
encapsulation dot1Q 2
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
negotiation auto
no mop enabled
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxxxxxxx password 0 xxxxxxxx
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http client username cisco
ip http client password 0 cisco
ip http path flash:
ip tftp source-interface GigabitEthernet0/0/1
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip ssh version 2
!
access-list 1 permit any
03-02-2022 02:08 AM
Hello,
odd indeed, as the dialer interface is the outside, so 'ip nat outside' applied to that interface should be enough, in theory.
In any case, change the access list 1 from:
access-list 1 permit any
to
access-list 1 permit 10.0.0.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide