877W unable to do dns lookups

760557801535 · ‎01-16-2012

I've been trying to crack this one for a while but I can't see the wood for the trees. This router feeds a Sonicwall security device at 192.168.0.180 on the inside and performs ADSL2+ on the outside. I can do domain lookups on the internal lan (the other side of the Sonicwall) but I cant do dns lookups directly from the router. I guess it's not a biggie but annoying just the same. Any ideas please?

Current config below mostly generated by SDM:-

Using 11689 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cordy
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200 warnings
logging console critical
no logging monitor
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone Napier 12
clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-1036798690
 certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
dot11 syslog
dot11 activity-timeout client default 1800
dot11 activity-timeout repeater default 28800
dot11 activity-timeout workgroup-bridge default 28800
dot11 activity-timeout bridge default 28800
!
dot11 ssid XXXXXXXXXXXX
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 information-element ssidl advertisement
!
dot11 arp-cache
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.140 192.168.0.254
!
ip dhcp pool pool1
   import all
   network 192.168.0.0 255.255.255.0
   domain-name home
   default-router 192.168.0.254 
   netbios-name-server 192.168.0.180 
   dns-server 202.180.64.10 202.180.64.11 
!
!
ip cef
no ip bootp server
ip domain list home
ip domain name home
ip name-server 202.180.64.11
ip name-server 202.180.64.10
ip port-map user-vuze-tcp port tcp 56881 list 1 description Vuze on willow (tcp)
ip port-map user-vuze-udp port tcp 56881 list 2 description Vuze on willow (udp)
ip ips notify SDEE
ip ips name sdm_ips_rule_101 list 101
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM user-vuze-udp
ip inspect name SDM_MEDIUM user-vuze-tcp
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM ntp
ip inspect name sdm_ins_in_100 appfw SDM_MEDIUM
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 imap reset
ip inspect name sdm_ins_in_100 pop3 reset
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 esmtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 user-vuze-udp
ip inspect name sdm_ins_in_100 user-vuze-tcp
ip inspect name sdm_ins_in_100 tftp
no ipv6 cef
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!

parameter-map type inspect global
!
!
username steve privilege 15 view root password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
username root privilege 15 view root password 7 XXXXXXXXXXXXXXXXXXXXXXXX
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 0/100 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 !
 encryption mode ciphers aes-ccm 
 !
 ssid XXXXXXXXXXXX
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2462
 station-role root
 rts threshold 2312
 rts retries 32
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip ips sdm_ips_rule_101 in
 ip inspect SDM_MEDIUM out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username blah@blah.co.nz password 7 XXXXXXXXXXXXXX
 service-policy input sdmappfwp2p_SDM_MEDIUM
 service-policy output sdmappfwp2p_SDM_MEDIUM
!
interface BVI1
 description $FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip flow ingress
 ip nat inside
 ip inspect sdm_ins_in_100 in
 ip virtual-reassembly
 service-policy input sdmappfwp2p_SDM_MEDIUM
 service-policy output sdmappfwp2p_SDM_MEDIUM
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.180
ip route 192.168.2.0 255.255.255.0 192.168.0.180
ip route 192.168.3.0 255.255.255.0 192.168.0.180
ip route 192.168.15.0 255.255.255.0 192.168.0.180
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip flow-export source FastEthernet0
ip flow-export version 9
ip flow-export template timeout-rate 1
ip flow-export destination 192.168.0.180 2055
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.180 56881 interface Dialer0 56881
ip nat inside source static udp 192.168.0.180 56881 interface Dialer0 56881
ip nat inside source static 192.168.0.180 interface Dialer0
ip ospf name-lookup
!
logging trap warnings
logging facility user
logging 192.168.0.180
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.0.180
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.180
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.15.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 202.180.64.11 eq domain any
access-list 101 permit udp host 202.180.64.10 eq domain any
access-list 101 remark Vuze willow
access-list 101 permit tcp any any eq 56881 log
access-list 101 remark Vuze willow
access-list 101 permit udp any any eq 56881 log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
snmp-server community public RO
snmp-server community XXXXXXXXXX RW
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CYou require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now. If you fail to disconnect you may be prosecuted under the Crimes Amendment Act 2003 section 252 under New Zealand
law.
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 1 in
 privilege level 15
 authorization exec local_author
 login authentication local_authen
 transport preferred ssh
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

cadet alain · ‎01-16-2012

Hi,

you're doing CBAC and by default CBAC doesn't inspect traffic generated by the router.

Can you try this:

ip inspect name SDM_MEDIUM udp router-traffic
and add following: ip inspect log drop-pkt in global config

Regards.

Alain

Don't forget to rate helpful posts.

760557801535 · ‎01-17-2012

Hi Alain,

Thans for that but I just tried your suggestions and still no luck I'm afraid.

cordy#ping www.google.com

Translating "www.google.com"...domain server (202.180.64.11) (202.180.64.10)

% Unrecognized host or address, or protocol not running.

cordy#

These name server addresses are correct and work from the LAN but I can't even ping them from the router.

Kind regards,

Steve

cadet alain · ‎01-17-2012

Hi,

So you didn't see any log ? how are you connected to the router ?

Can you do a packet capture on the router either using RITE or EPC while you do your dns lookup and post it here.

Here are the links for these 2 technologies:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

You could also try a debug ip inspect event and a debug ip packet detail 199 where 199 is an ACL only permitting DNS queries and replies

Regards.

Alain

Don't forget to rate helpful posts.

760557801535 · ‎01-17-2012

Hi Alain,

While I come to grips with the two techniques you have suggested I managed to get syslog working ok so set debug ip udp and did a ping www.google.com with these results:-

Jan 18 08:03:34 cordy 625: 001362: *Oct 20 15:01:49.476 Napier: UDP: Random loca

l port generated 62866, network 1

Jan 18 08:03:34 cordy 626: 001363: *Oct 20 15:01:49.476 Napier: Reserved port 62

866 in Transport Port Agent for UDP IP type 1

Jan 18 08:03:34 cordy 627: 001364: *Oct 20 15:01:49.480 Napier: UDP: sent src=119.224.111.124(62866), dst=202.180.64.11(53), length=40

Jan 18 08:03:36 cordy 628: 001365: *Oct 20 15:01:51.413 Napier: %SEC-6-IPACCESSLOGP: list 101 denied udp 203.152.112.32(123) -> 119.224.111.124(44447), 1 packet

Which looks like it it sends the DNS request but denies the reply back from the DNS server. There are rules in list 101 that seem to permit the target DNS servers:-

access-list 101 permit udp host 202.180.64.11 eq domain any

access-list 101 permit udp host 202.180.64.10 eq domain any

but the reply is coming back from a completely different server??? Maybe I should just change those access-list 101 to any eq domain any. I'll give that a go now.

Kind regards,

Steve

cadet alain · ‎01-17-2012

Hi,

denied udp 203.152.112.32(123) this is NTP not DNS.

I also tried a name lookup with this dns server: 202.180.64.11 and it timed out so I think the problem is with this server, I'll capture the packet or do a dig to further investigate.

Regards.

Alain

Don't forget to rate helpful posts.

760557801535 · ‎01-18-2012

Hi Alain,

Duh! silly me.

I do know that these two name servers work fine and I guess my ISP may be filtering them from access by anyone outside their address space. Anyway, I gave up rethought my approach an dug out a previous config which I know was working but for a simpler setup and hand crafted some changes to that. Once loaded, it all works fine now. The one I was trying to make work was havily configed by SDM and this seems to have prevented traffic to/from the internal router itself while still allowing LAN to WAN to work. I've done a diff on the two configs but there are so many changes it's hard to see the wood for the trees as the original one was basically hand made.

Thanks for your help with this and I'm sorry we could not find the original problem but I'll spend more time on it when I get that precious commodity

Kind regards,

Steve