CSR1000v DNS Issues

joematrix77 · ‎03-16-2023

I'm having issues with my networks not being able to resolve websites. I'm trying to configure DNS servers on internal segments without putting them on the public network. So basically, port forwarding ideally, I would like to have one DNS server in the DMZ resolving and one internally able to resolve URLs. I can ping outside but can't resolve website urls. 192.168.1.1 is my ISP network gateway. I'm basically asking what is "nat (inside,outside) after-auto source dynamic any interface" equivalent command on this router? Am I missing something?

Here's my current config:

ip name-server 192.168.1.1#ISP 192.168.0.83#INSIDE 10.4.43.83#DMZ

ip domain name xyz.com

!

interface GigabitEthernet1

ip address 192.168.1.3 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2.43

encapsulation dot1Q 443

ip address 192.168.43.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.43.1

cdp enable

!

interface GigabitEthernet2.100

encapsulation dot1Q 100

ip address 192.168.0.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.0.1

cdp enable

!

interface GigabitEthernet3

ip address 10.1.200.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

router bgp 443

bgp router-id 192.168.43.1

bgp log-neighbor-changes

redistribute connected

neighbor 192.168.43.5 remote-as 443

neighbor 192.168.43.6 remote-as 443

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source route-map track-primary-if interface GigabitEthernet1 overload

ip nat inside source list 1 interface GigabitEthernet2.100 overload

ip nat inside source list 43 interface GigabitEthernet2.43 overload

ip nat inside source list 100 interface GigabitEthernet2.100 overload

ip nat inside source list 143 interface GigabitEthernet2.43 overload

ip nat inside source list 144 interface GigabitEthernet2.43 overload

ip default-network 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1

ip route 10.4.43.0 255.255.255.0 GigabitEthernet2.43 192.168.43.4

ip route 192.168.0.0 255.255.255.0 GigabitEthernet2.100 192.168.0.1

ip route 192.168.43.0 255.255.255.0 GigabitEthernet2.43 192.168.43.1

ip ssh rsa keypair-name ssh-key

ip ssh version 2

!

ip access-list standard 1

10 permit 192.168.0.0 0.0.0.255

ip access-list standard 43

10 permit 192.168.43.0 0.0.0.255

ip access-list standard 44

10 permit 10.4.43.0 0.0.0.255

ip access-list extended 100

10 permit ip 192.168.0.0 0.0.0.255 any

20 permit tcp 192.168.0.0 0.0.0.255 eq domain any

30 permit udp 192.168.0.0 0.0.0.255 eq domain any

ip access-list extended 143

10 permit ip 192.168.43.0 0.0.0.255 any

20 permit tcp 192.168.43.0 0.0.0.255 eq domain any

30 permit udp 192.168.43.0 0.0.0.255 eq domain any

ip access-list extended 144

10 permit ip 10.4.43.0 0.0.0.255 any

20 permit tcp 10.4.43.0 0.0.0.255 eq domain any

30 permit udp 10.4.43.0 0.0.0.255 eq domain any

!

route-map track-primary-if permit 1

match ip address 197

set interface GigabitEthernet1

!

control-plane

!

line con 0

stopbits 1

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

ntp server us.pool.ntp.org

balaji.bandi · ‎03-16-2023

You should rely on Local DNS Server, Intern that local DNS Server should able to resolved both Local and FQDN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

joematrix77 · ‎03-16-2023

No problem I’m having is that I can’t get the traffic going

balaji.bandi · ‎03-16-2023

show us more what is I can’t get the traffic going

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

joematrix77 · ‎03-16-2023

Meaning is in a flat network if I have my domain controller on the inside network it can Traverse the outside and get DNS entries to be able to resolve quarries once I switched from an ASAv to the CRS that functionality just dropped

balaji.bandi · ‎03-17-2023

Meaning is in a flat network if I have my domain controller on the inside network it can Traverse the outside and get DNS entries to be able to resolve quarries once I switched from an ASAv to the CRS that functionality just dropped

ASAv works with the same setup, and when you replace ASAv with CSR1K that not working.

When you replace with CSR1K, from DNS Server are you able to resolve the DNS ? (can you post the output ?) DNS Server what Root DNS Server is configured ?

When the Client use your DNS Server (local one)

can you post nslookup (local and FQDN resolution) what error you getting) ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

joematrix77 · ‎03-17-2023

DNS request timed out

Default Server Unknown

#do ping google.com
Pinging google.com (142.250.217.206) with 18 bytes of data:

PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout
PING: no reply from 142.250.217.206
PING: timeout

balaji.bandi · ‎03-17-2023

I had that configured, my problem is I can ping public ip addresses but I can not open websites in a browser which I find really weird

That what your issue and we are dealing with - IP pings, but the Browsing side needs DNS Resolution, which is failing.

For that I have asked some information - if you can provide that information - we can do some testing to resolve it.

Let me paste again :

When you replace with CSR1K, from DNS Server are you able to resolve the DNS ? (can you post the output ?) DNS Server what Root DNS Server is configured ?

When the Client use your DNS Server (local one)

can you post nslookup (local and FQDN resolution) what error you getting) ?

DNS request timed out

Default Server Unknown

This is not much use here, we are not sure what device is this getting message.

end devise post ipconfig /all Along with the information I have asked in the post.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

joematrix77 · ‎03-16-2023

Do you have any debug commands that you would like me to post? I'm just confused as to why this isn't working.

joematrix77 · ‎03-16-2023

192.168.0.83 is on one INSIDE LAN

10.4.43.83 is on one INSIDE LAN

192.168.1.1 is the outside router on the WAN network.

I can ping outside via ip addresses just not FQDN. I am assuming the inside DNS servers aren't receiving the port 53 request.

joematrix77 · ‎03-17-2023

I'm basically asking what is "nat (inside,outside) after-auto source dynamic any interface" equivalent command on this router? Am I missing something? Thank you for your help.

MHM Cisco World · ‎03-17-2023

ip domain lookup <<- this command need to make router run as DNS proxy

joematrix77 · ‎03-17-2023

I had that configured, my problem is I can ping public ip addresses but I can not open websites in a browser which I find really weird.

tarmahmood1 · ‎03-28-2023

I am not sure if you can relate with your problem, but yesterday i had somehow similiar issue DNS was not resolving. So i removed the config from my interfaces for umbrella DNS, and it got resolved. I am suspecting software bug. Cisco IOS XE Software, Version 16.12.01a.

Before i had same, can ping IPs but not able to reach using FQDN.

interface GigabitEthernet2
no umbrella in Azure
!

interface Tunnel100
no umbrella in iWAN
!