11-12-2013 07:13 AM - edited 03-04-2019 09:33 PM
We are trying to enable domain lookups for ping & traceroute from our remote routers. A mildly scrubbed version of our running config is below.
- Added 'ip domain lookup source-interface FastEthernet8', neither ping nor traceroute resolves IP's
- Added 'ip domain-server 4.2.2.2', no change
- Changed it to 'ip domain lookup source-interface VL1',no change
- Added 'ip host GTEDNS 4.2.2.2' and then I was able to 'ping GTEDNS' successfully
- Added permits for UDP/TCP to/from any/any eq DNS to internet-in-v2 ACL, removed and reapplied the deny, no change
- Removed the deny from the internet-in-v2 ACL, no change
What are we missing?
---snip---
!
version 15.0
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
!
hostname fl2020-vpn001
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging console critical
!
no aaa new-model
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
!
!
ip source-route
!
!
!
!
ip cef
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip domain name ourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
vtp mode transparent
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key ***** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 600
!
!
crypto ipsec transform-set esp-3des-sha-trans esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN
set transform-set esp-3des-sha-trans
set pfs group5
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
!
interface Tunnel1
bandwidth 1536
ip address 172.18.1.83 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication *****
ip nhrp map multicast a.b.217.11
ip nhrp map 172.18.0.1 a.b.217.11
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.18.0.1
ip tcp adjust-mss 1360
ip policy route-map df-bit-clear
qos pre-classify
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
!
!
interface Tunnel2
bandwidth 768
ip address 172.18.5.83 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication *****
ip nhrp map 172.18.4.1 c.d.158.52
ip nhrp map multicast c.d.158.52
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.18.4.1
ip tcp adjust-mss 1360
ip policy route-map df-bit-clear
qos pre-classify
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
!
!
interface FastEthernet0
no cdp enable
!
!
interface FastEthernet1
no cdp enable
!
!
interface FastEthernet2
no cdp enable
!
!
interface FastEthernet3
no cdp enable
!
!
interface FastEthernet4
no cdp enable
!
!
interface FastEthernet5
no cdp enable
!
!
interface FastEthernet6
no cdp enable
!
!
interface FastEthernet7
no cdp enable
!
!
interface FastEthernet8
description Comcast
bandwidth 8192
ip address e.f.154.5 255.255.255.252
ip access-group internet-in-v2 in
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
!
interface Vlan1
description Inside Private Network
ip address 10.20.20.1 255.255.255.192
ip helper-address 192.168.0.12
no ip redirects
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1400
ip policy route-map df-bit-clear
!
!
interface Async1
no ip address
encapsulation slip
async mode interactive
!
!
!
router eigrp 111
network 10.20.20.0 0.0.0.63
network 172.18.0.0
passive-interface default
no passive-interface Tunnel2
no passive-interface Tunnel1
eigrp stub connected
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source Vlan1
ip flow-export version 9 peer-as
ip flow-export destination 192.168.0.105 2055
!
ip route 0.0.0.0 0.0.0.0 e.f.154.6
!
!
ip access-list extended internet-in-v2
permit esp any host e.f.154.5
permit udp any eq isakmp host e.f.154.5 eq isakmp
permit icmp any host e.f.154.5 echo
permit icmp any host e.f.154.5 echo-reply
permit tcp any host e.f.154.5 eq 22
permit udp host 130.126.24.53 host e.f.154.5 eq ntp
permit udp host 198.82.162.213 host e.f.154.5 eq ntp
deny ip any any log
!
access-list 10 permit 192.168.0.105
access-list 10 permit 172.16.26.0 0.0.0.255
access-list 10 deny any
access-list 15 permit 192.168.0.5
access-list 15 deny any
no cdp run
!
!
!
!
route-map df-bit-clear permit 10
set ip df 0
!
!
!
control-plane
!
!
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
privilege exec level 10 debug
privilege exec level 2 clear line
privilege exec level 2 clear
!
line con 0
login local
line 1
login local
modem InOut
modem autoconfigure discovery
transport input all
autoselect ppp
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
line vty 0 4
access-class telnet-in in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class ssh-in in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server 130.126.24.53
ntp server 198.82.162.213
end
---snip---11-12-2013 07:28 AM
I had originally posted to add dns support to your acl, but then I reread your intro and noticed that you had already tried that. Do you have anything in the logs indicating what could be blocked? Have you tried removing the acl to see if that resolves the issue? Removing the deny at the end won't help because you don't have a permit any to catch the implicit deny, so all of your traffic that doesn't match the previous lines would still be denied.
Also, do you have anything in front of the router like a firewall, or does this connect directly to the provider's equipment?
HTH,
John
*** Please rate all useful posts ***
11-12-2013 07:34 AM
What supporting commands do I need, just these?
ip domain-lookup [Do I need to specify the interface?]
ip name-server 4.2.2.2
This is what I did, and there is no change:
---snip---
fl2020-vpn001#
fl2020-vpn001#conf t
Enter configuration commands, one per line. End with CNTL/Z.
fl2020-vpn001(config)#ip domain-lookup
fl2020-vpn001(config)#ip name-server 4.2.2.2
fl2020-vpn001(config)#ip access-list extended internet-in-v2
fl2020-vpn001(config-ext-nacl)#
fl2020-vpn001(config-ext-nacl)#permit udp any any eq 53
fl2020-vpn001(config-ext-nacl)#no deny ip any any log
fl2020-vpn001(config-ext-nacl)#deny ip any any log
fl2020-vpn001(config-ext-nacl)#end
fl2020-vpn001#ping www.cnn.com
Translating "www.cnn.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running.
fl2020-vpn001#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running.
fl2020-vpn001#traceroute www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2)
% Unrecognized host or address.
fl2020-vpn001#
---snip---
11-12-2013 07:45 AM
You're concerned with the return traffic coming back in on 53 as well, so try adding these two lines:
permit udp any eq 53 any
permit udp any any eq 53
HTH,
John
*** Please rate all useful posts ***
11-12-2013 07:57 AM
Clearly the most recent output shows that the router is attempting to resolve names using 4.2.2.2 as the name server. The fact that the names do not resolve suggests that the responses are being blocked. I would like to see a fresh copy of the access list. And perhaps the output of traceroute 4.2.2.2 to verify reachability and what path gets to the name servers might be helpful.
HTH
Rick
11-12-2013 08:10 AM
Current ACL:
---snip---
ip access-list extended internet-in-v2
permit esp any host e.f.154.5
permit udp any eq isakmp host e.f.154.5 eq isakmp
permit icmp any host e.f.154.5 echo
permit icmp any host e.f.154.5 echo-reply
permit tcp any host e.f.154.5 eq 22
permit udp host 130.126.24.53 host e.f.154.5 eq ntp
permit udp host 198.82.162.213 host e.f.154.5 eq ntp
permit udp any any eq domain
permit udp any eq domain any
deny ip any any log
---snip---
Current results, ping now works, traceroute not:
---snip---
fl2020-vpn001#ping www.cnn.com
Translating "www.cnn.com"...domain server (4.2.2.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 157.166.249.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
fl2020-vpn001#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/72/96 ms
fl2020-vpn001#traceroute www.yahoo.com
Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * *
---snip---
11-12-2013 08:14 AM
Try enabling icmp fully first to see if that resolves your issue...
permit icmp any any
Well, Alain beat me to it, but he's correct. Port-unreachable is what you're going to need.
HTH,
John
*** Please rate all useful posts ***
11-12-2013 08:16 AM
Hi,
this is because you are only permitting icmp echo and echo-reply but Cisco uses udp traceroute and the return traffic shall be port-unreachable icmp message.
just do this:
ip access-list extended internet-in-v2
91 permit icmp any host e.f.154.5 port-unreachable
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 08:26 AM
Current ACL:
---snip---
ip access-list extended internet-in-v2
permit esp any host e.f.154.5
permit udp any eq isakmp host e.f.154.5 eq isakmp
permit icmp any host e.f.154.5 echo
permit icmp any host e.f.154.5 echo-reply
permit tcp any host e.f.154.5 eq 22
permit udp host 130.126.24.53 host e.f.154.5 eq ntp
permit udp host 198.82.162.213 host e.f.154.5 eq ntp
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any echo-reply
permit icmp any host e.f.154.5 port-unreachable
deny ip any any log
---snip---
Current results:
---snip---
fl2020-vpn001#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.183.24, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/97/184 ms
fl2020-vpn001#traceroute www.yahoo.com
Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.183.24)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7
---snip---
11-12-2013 08:27 AM
You're going to need to specify for any. Currently, you have it tied to one address to trace to:
permit icmp any any port-unreachable
HTH,
John
*** Please rate all useful posts ***
11-12-2013 08:35 AM
Current ACL:
---snip---
ip access-list extended internet-in-v2
permit esp any host e.f.154.5
permit udp any eq isakmp host e.f.154.5 eq isakmp
permit icmp any host e.f.154.5 echo
permit icmp any host e.f.154.5 echo-reply
permit tcp any host e.f.154.5 eq 22
permit udp host 130.126.24.53 host e.f.154.5 eq ntp
permit udp host 198.82.162.213 host e.f.154.5 eq ntp
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any echo-reply
permit icmp any any port-unreachable
deny ip any any log
!
---snip---
Current results:
---snip---
fl2020-vpn001#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/92 ms
fl2020-vpn001#traceroute www.yahoo.com
Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11
fl2020-vpn001#
---snip---
11-12-2013 08:45 AM
You're resolving it....do you have anything between you and your ISP equipment? Firewall?
HTH,
John
*** Please rate all useful posts ***
11-12-2013 08:56 AM
I forgot to answer some of your questions earlier...
Do you have anything in the logs indicating what could be blocked?
* The last entries were at 11:39 (about 15 minutes ago), where icmp was denied. Current traceroute isn't adding any new entries.
Do you have anything between you and your ISP equipment? Firewall?
* No, the WAN port is directly attached to (one of) the LAN port(s) on the ISP modem
Have you tried removing the acl to see if that resolves the issue?
* I just tried this... removing the ACL from Fa8 and traceroute works perfectly, but we can't leave it off so I've re-enabled it after this test:
---snip---
fl2020-vpn001(config)#int fa8
fl2020-vpn001(config-if)#no ip access-group internet-in-v2 in
fl2020-vpn001(config-if)#end
fl2020-vpn001#traceroute www.yahoo.com
Translating "www.yahoo.com"...domain server (4.2.2.2) [OK]
Type escape sequence to abort.
Tracing the route to ds-any-fp3-real.wa1.b.yahoo.com (98.139.180.149)
1 10.1.10.1 0 msec 4 msec 0 msec
2 73.11.36.1 72 msec 16 msec 12 msec
3 te-9-2-ur01.miccosukeerd.fl.tallah.comcast.net (68.87.161.69) 12 msec 12 msec 8 msec
4 te-4-1-ur01.timberlanerd.fl.tallah.comcast.net (68.85.236.62) 12 msec 20 msec 8 msec
5 te-6-4-ar01.l3-tallahas.fl.northglf.comcast.net (68.85.236.101) 12 msec 32 msec 12 msec
6 te-2-0-0-8-cr01.56marietta.ga.ibone.comcast.net (68.86.95.5) 52 msec 36 msec 40 msec
7 64.209.97.13 24 msec 16 msec 16 msec
8 te4-3-10G.ar8.NYC1.gblx.net (67.16.143.26) 36 msec
po1-20G.ar8.NYC1.gblx.net (67.16.137.94) 36 msec
po2-10G.ar8.NYC1.gblx.net (67.16.137.98) 36 msec
9 64.215.30.22 44 msec 68 msec 68 msec
10 ae-3.pat2.bfz.yahoo.com (216.115.97.209) 72 msec 80 msec 48 msec
11 ae-3.msr1.bf1.yahoo.com (216.115.100.29) 48 msec
ae-4.msr1.bf1.yahoo.com (216.115.100.25) 52 msec
ae-4.msr2.bf1.yahoo.com (216.115.100.73) 64 msec
12 xe-4-0-0.clr1-a-gdc.bf1.yahoo.com (98.139.232.81) 76 msec
UNKNOWN-98-139-129-X.yahoo.com (98.139.129.183) 52 msec
xe-9-0-0.clr2-a-gdc.bf1.yahoo.com (98.139.232.105) 48 msec
13 et-17-1.fab2-1-gdc.bf1.yahoo.com (98.139.128.39) 72 msec
et-18-25.fab8-1-gdc.bf1.yahoo.com (98.139.128.67) 68 msec
et-17-1.fab5-1-gdc.bf1.yahoo.com (98.139.128.45) 60 msec
14 po-12.bas1-7-prd.bf1.yahoo.com (98.139.129.193) 68 msec
po-11.bas2-7-prd.bf1.yahoo.com (98.139.129.179) 52 msec
po-11.bas1-7-prd.bf1.yahoo.com (98.139.129.177) 72 msec
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20
fl2020-vpn001#
---snip---
11-12-2013 09:32 AM
Hi,
can you permit time-exceeded and unreachable too:
ip access-list extended internet-in-v2
10 permit icmp any any time-exceeded
20 permit icmp any any unreachable
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 09:54 AM
Bam! Now that wasn't so difficult was it So for the record, these were the changes... do I need both UDP permits, as they seem to be very similar?
conf t
ip domain-lookup
ip name-server 4.2.2.2
ip access-list extended internet-in-v2
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any echo-reply
permit icmp any any port-unreachable
permit icmp any any time-exceeded
permit icmp any any unreachable
no deny ip any any log
deny ip any any log
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: