Cisco 6500 NAT - DNS Issue

davidnlittle · ‎10-15-2012

I have been trying to implement NAT on a Cisco 6500 today. It seems the issue I'm having is DNS related, as I can access wesites via IP address. From inside the local network I can ping my DNS servers (66.28.0.45, 66.28.0.61) but web browsers timeout. See the ip nat translations at the bottom of the post.

Any help would be greatly appreciated!

Thanks,

David

Important parts of my config are:

MonroeCH_6513#show run

Building configuration...

Current configuration : 29007 bytes

!

! Last configuration change at 18:01:22 EDT Mon Oct 15 2012 by monroe

! NVRAM config last updated at 18:01:23 EDT Mon Oct 15 2012 by monroe

!

upgrade fpd auto

version 12.2

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service counters max age 5

service unsupported-transceiver

!

hostname MonroeCH_6513

!

boot system flash sup-bootdisk:s72033-ipservicesk9_wan-mz.122-18.SXF17a.bin

boot system flash disk0:s72033-ipservicesk9_wan-mz.122-18.SXF17a.bin

no logging on

enable password 7 045604081D2E49

!

username monroe password 7 051A340E2C1D175153

username broadriver password 7 10430617171817

no aaa new-model

clock timezone est -5

clock summer-time EDT recurring

ip subnet-zero

!

ip dhcp excluded-address 10.10.10.0 10.10.10.5

!

ip dhcp pool CoM_Wireless

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 66.28.0.61 66.28.0.45 8.8.8.8

domain-name Monroe_Wireless

!

ip ssh version 2

ip domain-name monroe.gov

ip name-server 66.28.0.45

ip name-server 66.28.0.61

ip name-server 209.55.5.10

ip name-server 209.55.5.11

ipv6 mfib hardware-switching replication-mode ingress

vtp domain NULL

vtp mode transparent

mls ip multicast flow-stat-timer 9

mls flow ip interface-destination-source

no mls flow ipv6

mls qos

no mls acl tcam share-global

mls cef error action reset

!

redundancy

mode sso

main-cpu

auto-sync running-config

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 2,10,601,801,850 priority 24576

spanning-tree vlan 3000-3005 priority 4096

!

interface Vlan1

no ip address

no ip redirects

ip flow ingress

shutdown

!

interface Vlan100

description Monroe 6513 - WAN

ip address 108.59.208.2 255.255.255.248

no ip redirects

ip nat outside

!

interface Vlan500

description CoM_Wireless

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

no ip nat service skinny tcp port 2000

no ip nat service H225

ip nat inside source list 3 interface Vlan100 overload

ip classless

ip route 0.0.0.0 0.0.0.0 108.59.208.1

!

no ip http server

!

access-list 3 permit 10.10.10.0 0.0.0.255

!

bridge 1 protocol vlan-bridge

bridge 100 protocol vlan-bridge

bridge 100 route ip

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

access-class 15 in

password 7 13142513065D5D7261

login local

transport input ssh

line vty 5 15

login

transport input none

!

ntp clock-period 17180182

ntp server 216.24.173.112

no cns aaa enable

end

MonroeCH_6513#

Show ip nat translations reveals the following:

MonroeCH_6513#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 108.59.208.2:4505 10.10.10.53:59235 66.28.0.45:53 66.28.0.45:53

udp 108.59.208.2:4501 10.10.10.53:55220 66.28.0.61:53 66.28.0.61:53

udp 108.59.208.2:4502 10.10.10.53:64921 66.28.0.61:53 66.28.0.61:53

udp 108.59.208.2:4503 10.10.10.53:56577 66.28.0.61:53 66.28.0.61:53

udp 108.59.208.2:4504 10.10.10.53:56826 66.28.0.61:53 66.28.0.61:53

udp 108.59.208.2:4506 10.10.10.53:51015 66.28.0.61:53 66.28.0.61:53

tcp 108.59.208.2:443 10.10.10.53:51586 193.182.8.48:4070 193.182.8.48:4070

The TCP flow is Spotify streaming music and is working fine.

Harish Balakrishnan · ‎10-15-2012

Hello David,

Are you getting name resolution in nslookup ? from the PC.. I hope you are not using any proxy setup in your browser

regards

Harish