IOS XE Cisco 4431 NAT Config DNS Issues

Benjamin Jeffreys · ‎03-12-2015

Hi All,

I found out that the XE IOS does not support IP DNS Server and therefor you are required to have a DNS sever seperately. My question is if i push all clients to a public DNS server such as google why does it not work?

I can ping out and do NSLOOKUPS but nothing resolves in the browser. I have added an inbound rule to the WAN ACL to allow UDP/TCP 53 from 8.8.4.4 and it does not work. Ive spent ages and only thing that does work is IP ANY ANY and obviously i am not leaving that rule there. Is it a bug?

Thanks

Ben

Collin Clark · ‎03-16-2015

Ben-

Can you post your config? Do you have CBAC or Zone Based firewall configured? NAT?

Benjamin Jeffreys · ‎03-27-2015

Hi Collin,

Sorry for the delay, i have left the "IP any any" under WAN ACL 102.

I did try CBAC at the 11th hour but was spewing up unrecognised remarks and didn't have time to go through.

Please see confirm below for reference i have put in google DNS.

Just to be clear No DNS resolves from DHCP clients if i remove the IP any any from WAN ACL102. The router can resolve locally i.e over serial.

Many Thanks

Ben

Bespoke#sh run
Building configuration...

Current configuration : 12805 bytes
!
! Last configuration change at 18:24:43 GMT Sun Mar 15 2015 by admin
! NVRAM config last updated at 18:24:45 GMT Sun Mar 15 2015 by admin
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname Bespoke
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 16386 informational
logging rate-limit 100 except warnings
no logging console
!
aaa new-model
!
!
aaa authentication fail-message ^CCCC Login failed.
This could be because your RADIUS credentials are incorrect, or the RADIUS servers are unreachable. If servers are unreachable, use a local username and password.^C
aaa authentication login default group radius local enable
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
no ip source-route
ip options drop
!
!
!
!
!
no ip bootp server
ip domain name x.net
ip name-server x.x.x.x
ip name-server x.x.x.x

ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.15
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.1.0.1
ip dhcp excluded-address 172.1.1.1
ip dhcp excluded-address 172.1.2.1
ip dhcp excluded-address 172.1.3.1
!
ip dhcp pool ManagementVLAN100
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.4.4
!
ip dhcp pool VLAN200
network 10.10.8.0 255.255.252.0
default-router 10.10.10.1
dns-server 8.8.4.4
lease 0 1
!
ip dhcp pool VLAN300
network 172.1.0.0 255.255.255.0
default-router 172.1.0.1
dns-server 8.8.4.4
!
ip dhcp pool VLAN400
network 172.1.1.0 255.255.255.0
default-router 172.1.1.1
dns-server 8.8.4.4
!
ip dhcp pool VLAN500
network 172.1.2.0 255.255.255.0
default-router 172.1.2.1
dns-server 8.8.4.4
!
ip dhcp pool VLAN600
network 172.1.3.0 255.255.255.0
default-router 172.1.3.1
dns-server 8.8.4.4
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
mode none
!
!
!
!
!
no cdp run
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-all 140mbpsratelimit
match access-group 103
!
policy-map 140mbpsratelimit
class 140mbpsratelimit
police cir 146800500 bc 27525120 be 55050240
   conform-action transmit
   exceed-action drop
   violate-action drop
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.602
description PRIMARYWAN200MBPS
encapsulation dot1Q 602
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast source reachable-via rx allow-default
ip access-group 102 in
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.100
description ManagementVLAN100
encapsulation dot1Q 100
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.200
encapsulation dot1Q 200
ip address 10.10.10.1 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
service-policy input 140mbpsratelimit
service-policy output 140mbpsratelimit
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.300
encapsulation dot1Q 300
ip address 172.1.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.400
encapsulation dot1Q 400
ip address 172.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.500
encapsulation dot1Q 500
ip address 172.1.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.600
encapsulation dot1Q 600
ip address 172.1.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.603
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface GigabitEthernet0/0/0.602 overload
ip nat inside source static tcp 192.168.1.15 443 x.x.x.x 443 extendable
no ip forward-protocol nd
no ip forward-protocol udp
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 255.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.0.0 255.255.255.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 198.18.0.0 255.254.0.0 Null0
ip route 198.51.100.0 255.255.255.0 Null0
ip route 203.0.113.0 255.255.255.0 Null0
!
!
ip radius source-interface GigabitEthernet0/0/0.602
access-list 1 remark NAT-LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.10.8.0 0.0.3.255
access-list 1 permit 172.1.0.0 0.0.0.255
access-list 1 permit 172.1.1.0 0.0.0.255
access-list 1 permit 172.1.2.0 0.0.0.255
access-list 1 permit 172.1.3.0 0.0.0.255
access-list 50 remark SNMP_ACCESS
access-list 50 permit x.x.x.x 0.0.0.31
access-list 50 permit x.x.x.x 0.0.0.31
access-list 51 remark NTP_ACCESS
access-list 51 permit x.x.x.x
access-list 51 permit x.x.x.x
access-list 51 deny   any
access-list 51 remark NTP_ACCESS
access-list 102 remark WAN_INGRESSPrimary
access-list 102 permit ip any any
access-list 102 permit tcp any host x.x.x.x eq 443
access-list 102 permit udp host 8.8.4.4 eq domain host x.x.x.x
access-list 102 permit udp host 8.8.8.8 eq domain host x.x.x.x
access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   icmp any any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip any any
access-list 103 remark 140mbpsratelimit
access-list 103 permit udp any any
access-list 103 permit tcp any any
access-list 150 remark VTY_ACCESS
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
access-list 150 deny   ip any any
!
snmp-server community x.x.x.x RO 50
!
!
!
radius server RadiusPR
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 3
!
radius server RadiusTC
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 3

!
!
control-plane
!
line con 0
logging synchronous
transport output none
stopbits 1
line aux 0
exec-timeout 0 1
no exec
transport output none
stopbits 1
line vty 0 4
access-class 150 in
logging synchronous
transport input telnet ssh
transport output none
line vty 5 15
access-class 150 in
logging synchronous
transport input telnet ssh
!
ntp access-group peer 51
ntp server x.x.x.x
ntp server x.x.x.x
!
end

Benjamin Jeffreys · ‎04-09-2015

Any ideas guys?

Thanks

B