Can't resolve names via ping/traceroute even with domain lookup enabled

Jim Mueller · ‎11-12-2013

We are trying to enable domain lookups for ping & traceroute from our remote routers. A mildly scrubbed version of our running config is below.

- Added 'ip domain lookup source-interface FastEthernet8', neither ping nor traceroute resolves IP's

- Added 'ip domain-server 4.2.2.2', no change

- Changed it to 'ip domain lookup source-interface VL1',no change

- Added 'ip host GTEDNS 4.2.2.2' and then I was able to 'ping GTEDNS' successfully

- Added permits for UDP/TCP to/from any/any eq DNS to internet-in-v2 ACL, removed and reapplied the deny, no change

- Removed the deny from the internet-in-v2 ACL, no change

What are we missing?

---snip---

!

version 15.0

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service compress-config

!

hostname fl2020-vpn001

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

logging console critical

!

no aaa new-model

!

clock timezone EST -5

clock summer-time EDT recurring

!

ip source-route

!

ip cef

ip flow-cache timeout active 1

no ip bootp server

no ip domain lookup

ip domain name ourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn **********

!

vtp mode transparent

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key ***** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 600

!

crypto ipsec transform-set esp-3des-sha-trans esp-3des esp-sha-hmac

mode transport

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile DMVPN

set transform-set esp-3des-sha-trans

set pfs group5

!

interface Loopback0

ip address 10.1.1.2 255.255.255.255

!

interface Tunnel1

bandwidth 1536

ip address 172.18.1.83 255.255.252.0

no ip redirects

ip mtu 1400

ip nhrp authentication *****

ip nhrp map multicast a.b.217.11

ip nhrp map 172.18.0.1 a.b.217.11

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 172.18.0.1

ip tcp adjust-mss 1360

ip policy route-map df-bit-clear

qos pre-classify

tunnel source FastEthernet8

tunnel mode gre multipoint

tunnel key 1

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN shared

!

interface Tunnel2

bandwidth 768

ip address 172.18.5.83 255.255.252.0

no ip redirects

ip mtu 1400

ip nhrp authentication *****

ip nhrp map 172.18.4.1 c.d.158.52

ip nhrp map multicast c.d.158.52

ip nhrp network-id 2

ip nhrp holdtime 300

ip nhrp nhs 172.18.4.1

ip tcp adjust-mss 1360

ip policy route-map df-bit-clear

qos pre-classify

tunnel source FastEthernet8

tunnel mode gre multipoint

tunnel key 2

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN shared

!

interface FastEthernet0

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface FastEthernet4

no cdp enable

!

interface FastEthernet5

no cdp enable

!

interface FastEthernet6

no cdp enable

!

interface FastEthernet7

no cdp enable

!

interface FastEthernet8

description Comcast

bandwidth 8192

ip address e.f.154.5 255.255.255.252

ip access-group internet-in-v2 in

ip nbar protocol-discovery

ip flow ingress

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description Inside Private Network

ip address 10.20.20.1 255.255.255.192

ip helper-address 192.168.0.12

no ip redirects

ip nbar protocol-discovery

ip flow ingress

ip virtual-reassembly

ip tcp adjust-mss 1400

ip policy route-map df-bit-clear

!

interface Async1

no ip address

encapsulation slip

async mode interactive

!

router eigrp 111

network 10.20.20.0 0.0.0.63

network 172.18.0.0

passive-interface default

no passive-interface Tunnel2

no passive-interface Tunnel1

eigrp stub connected

!

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

!

ip flow-export source Vlan1

ip flow-export version 9 peer-as

ip flow-export destination 192.168.0.105 2055

!

ip route 0.0.0.0 0.0.0.0 e.f.154.6

!

ip access-list extended internet-in-v2

permit esp any host e.f.154.5

permit udp any eq isakmp host e.f.154.5 eq isakmp

permit icmp any host e.f.154.5 echo

permit icmp any host e.f.154.5 echo-reply

permit tcp any host e.f.154.5 eq 22

permit udp host 130.126.24.53 host e.f.154.5 eq ntp

permit udp host 198.82.162.213 host e.f.154.5 eq ntp

deny ip any any log

!

access-list 10 permit 192.168.0.105

access-list 10 permit 172.16.26.0 0.0.0.255

access-list 10 deny any

access-list 15 permit 192.168.0.5

access-list 15 deny any

no cdp run

!

route-map df-bit-clear permit 10

set ip df 0

!

control-plane

!

privilege exec level 15 connect

privilege exec level 15 telnet

privilege exec level 15 rlogin

privilege exec level 15 show ip access-lists

privilege exec level 1 show ip

privilege exec level 15 show access-lists

privilege exec level 15 show logging

privilege exec level 1 show

privilege exec level 10 debug

privilege exec level 2 clear line

privilege exec level 2 clear

!

line con 0

login local

line 1

login local

modem InOut

modem autoconfigure discovery

transport input all

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login local

line vty 0 4

access-class telnet-in in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class ssh-in in

privilege level 15

login local

transport input ssh

!

scheduler max-task-time 5000

ntp server 130.126.24.53

ntp server 198.82.162.213

end

---snip---

John Blakley · ‎11-12-2013

I had originally posted to add dns support to your acl, but then I reread your intro and noticed that you had already tried that. Do you have anything in the logs indicating what could be blocked? Have you tried removing the acl to see if that resolves the issue? Removing the deny at the end won't help because you don't have a permit any to catch the implicit deny, so all of your traffic that doesn't match the previous lines would still be denied.

Also, do you have anything in front of the router like a firewall, or does this connect directly to the provider's equipment?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jim Mueller · ‎11-12-2013

What supporting commands do I need, just these?

ip domain-lookup [Do I need to specify the interface?]

ip name-server 4.2.2.2

This is what I did, and there is no change:

---snip---

fl2020-vpn001#
fl2020-vpn001#conf t
Enter configuration commands, one per line. End with CNTL/Z.
fl2020-vpn001(config)#ip domain-lookup

fl2020-vpn001(config)#ip name-server 4.2.2.2
fl2020-vpn001(config)#ip access-list extended internet-in-v2
fl2020-vpn001(config-ext-nacl)#
fl2020-vpn001(config-ext-nacl)#permit udp any any eq 53
fl2020-vpn001(config-ext-nacl)#no deny ip any any log
fl2020-vpn001(config-ext-nacl)#deny ip any any log
fl2020-vpn001(config-ext-nacl)#end
fl2020-vpn001#ping www.cnn.com

Translating "www.cnn.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running.

fl2020-vpn001#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running.

fl2020-vpn001#traceroute www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2)
% Unrecognized host or address.

fl2020-vpn001#

---snip---

John Blakley · ‎11-12-2013

You're concerned with the return traffic coming back in on 53 as well, so try adding these two lines:

permit udp any eq 53 any

permit udp any any eq 53

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎11-12-2013

Clearly the most recent output shows that the router is attempting to resolve names using 4.2.2.2 as the name server. The fact that the names do not resolve suggests that the responses are being blocked. I would like to see a fresh copy of the access list. And perhaps the output of traceroute 4.2.2.2 to verify reachability and what path gets to the name servers might be helpful.

HTH

Rick

HTH

Rick

Jim Mueller · ‎11-12-2013

Current ACL:

---snip---

ip access-list extended internet-in-v2

permit esp any host e.f.154.5

permit udp any eq isakmp host e.f.154.5 eq isakmp

permit icmp any host e.f.154.5 echo

permit icmp any host e.f.154.5 echo-reply

permit tcp any host e.f.154.5 eq 22

permit udp host 130.126.24.53 host e.f.154.5 eq ntp

permit udp host 198.82.162.213 host e.f.154.5 eq ntp

permit udp any any eq domain

permit udp any eq domain any

deny ip any any log

---snip---

Current results, ping now works, traceroute not:

---snip---

fl2020-vpn001#ping www.cnn.com

Translating "www.cnn.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 157.166.249.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
fl2020-vpn001#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/72/96 ms
fl2020-vpn001#traceroute www.yahoo.com

Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * *

---snip---

John Blakley · ‎11-12-2013

Try enabling icmp fully first to see if that resolves your issue...

permit icmp any any

Well, Alain beat me to it, but he's correct. Port-unreachable is what you're going to need.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

cadet alain · ‎11-12-2013

Hi,

this is because you are only permitting icmp echo and echo-reply but Cisco uses udp traceroute and the return traffic shall be port-unreachable icmp message.

just do this:

ip access-list extended internet-in-v2

91 permit icmp any host e.f.154.5 port-unreachable

Regards

Alain

Don't forget to rate helpful posts.

Jim Mueller · ‎11-12-2013

Current ACL:

---snip---

ip access-list extended internet-in-v2

permit esp any host e.f.154.5

permit udp any eq isakmp host e.f.154.5 eq isakmp

permit icmp any host e.f.154.5 echo

permit icmp any host e.f.154.5 echo-reply

permit tcp any host e.f.154.5 eq 22

permit udp host 130.126.24.53 host e.f.154.5 eq ntp

permit udp host 198.82.162.213 host e.f.154.5 eq ntp

permit udp any any eq domain

permit udp any eq domain any

permit icmp any any echo-reply

permit icmp any host e.f.154.5 port-unreachable

deny ip any any log

---snip---

Current results:

---snip---

fl2020-vpn001#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.183.24, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/97/184 ms
fl2020-vpn001#traceroute www.yahoo.com

Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.183.24)

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7

---snip---

John Blakley · ‎11-12-2013

You're going to need to specify for any. Currently, you have it tied to one address to trace to:

permit icmp any any port-unreachable

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jim Mueller · ‎11-12-2013

Current ACL:

---snip---

ip access-list extended internet-in-v2

permit esp any host e.f.154.5

permit udp any eq isakmp host e.f.154.5 eq isakmp

permit icmp any host e.f.154.5 echo

permit icmp any host e.f.154.5 echo-reply

permit tcp any host e.f.154.5 eq 22

permit udp host 130.126.24.53 host e.f.154.5 eq ntp

permit udp host 198.82.162.213 host e.f.154.5 eq ntp

permit udp any any eq domain

permit udp any eq domain any

permit icmp any any echo-reply

permit icmp any any port-unreachable

deny ip any any log

!

---snip---

Current results:

---snip---

fl2020-vpn001#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/92 ms
fl2020-vpn001#traceroute www.yahoo.com

Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11
fl2020-vpn001#

---snip---

John Blakley · ‎11-12-2013

You're resolving it....do you have anything between you and your ISP equipment? Firewall?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jim Mueller · ‎11-12-2013

I forgot to answer some of your questions earlier...

Do you have anything in the logs indicating what could be blocked?

* The last entries were at 11:39 (about 15 minutes ago), where icmp was denied. Current traceroute isn't adding any new entries.

Do you have anything between you and your ISP equipment? Firewall?

* No, the WAN port is directly attached to (one of) the LAN port(s) on the ISP modem

Have you tried removing the acl to see if that resolves the issue?

* I just tried this... removing the ACL from Fa8 and traceroute works perfectly, but we can't leave it off so I've re-enabled it after this test:

---snip---

fl2020-vpn001(config)#int fa8
fl2020-vpn001(config-if)#no ip access-group internet-in-v2 in
fl2020-vpn001(config-if)#end
fl2020-vpn001#traceroute www.yahoo.com

Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]

Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)

1 10.1.10.1 0 msec 4 msec 0 msec
2 73.11.36.1 72 msec 16 msec 12 msec
3 te-9-2-ur01.miccosukeerd.fl.tallah.comcast.net (68.87.161.69) 12 msec 12 msec 8 msec
4 te-4-1-ur01.timberlanerd.fl.tallah.comcast.net (68.85.236.62) 12 msec 20 msec 8 msec
5 te-6-4-ar01.l3-tallahas.fl.northglf.comcast.net (68.85.236.101) 12 msec 32 msec 12 msec
6 te-2-0-0-8-cr01.56marietta.ga.ibone.comcast.net (68.86.95.5) 52 msec 36 msec 40 msec
7 64.209.97.13 24 msec 16 msec 16 msec
8 te4-3-10G.ar8.NYC1.gblx.net (67.16.143.26) 36 msec
    po1-20G.ar8.NYC1.gblx.net (67.16.137.94) 36 msec
    po2-10G.ar8.NYC1.gblx.net (67.16.137.98) 36 msec
9 64.215.30.22 44 msec 68 msec 68 msec
10 ae-3.pat2.bfz.yahoo.com (216.115.97.209) 72 msec 80 msec 48 msec
11 ae-3.msr1.bf1.yahoo.com (216.115.100.29) 48 msec
    ae-4.msr1.bf1.yahoo.com (216.115.100.25) 52 msec
    ae-4.msr2.bf1.yahoo.com (216.115.100.73) 64 msec
12 xe-4-0-0.clr1-a-gdc.bf1.yahoo.com (98.139.232.81) 76 msec
    UNKNOWN-98-139-129-X.yahoo.com (98.139.129.183) 52 msec
    xe-9-0-0.clr2-a-gdc.bf1.yahoo.com (98.139.232.105) 48 msec
13 et-17-1.fab2-1-gdc.bf1.yahoo.com (98.139.128.39) 72 msec
    et-18-25.fab8-1-gdc.bf1.yahoo.com (98.139.128.67) 68 msec
    et-17-1.fab5-1-gdc.bf1.yahoo.com (98.139.128.45) 60 msec
14 po-12.bas1-7-prd.bf1.yahoo.com (98.139.129.193) 68 msec
    po-11.bas2-7-prd.bf1.yahoo.com (98.139.129.179) 52 msec
    po-11.bas1-7-prd.bf1.yahoo.com (98.139.129.177) 72 msec
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20
fl2020-vpn001#

---snip---

cadet alain · ‎11-12-2013

Hi,

can you permit time-exceeded and unreachable too:

ip access-list extended internet-in-v2

10 permit icmp any any time-exceeded

20 permit icmp any any unreachable

Regards

Alain

Don't forget to rate helpful posts.

Jim Mueller · ‎11-12-2013

Bam! Now that wasn't so difficult was it So for the record, these were the changes... do I need both UDP permits, as they seem to be very similar?

conf t

ip domain-lookup

ip name-server 4.2.2.2

ip access-list extended internet-in-v2

permit udp any any eq domain

permit udp any eq domain any

permit icmp any any echo-reply

permit icmp any any port-unreachable

permit icmp any any time-exceeded

permit icmp any any unreachable

no deny ip any any log

deny ip any any log