We are trying to enable domain lookups for ping & traceroute from our remote routers. A mildly scrubbed version of our running config is below.
- Added 'ip domain lookup source-interface FastEthernet8', neither ping nor traceroute resolves IP's
- Added 'ip domain-server 4.2.2.2', no change
- Changed it to 'ip domain lookup source-interface VL1',no change
- Added 'ip host GTEDNS 4.2.2.2' and then I was able to 'ping GTEDNS' successfully
- Added permits for UDP/TCP to/from any/any eq DNS to internet-in-v2 ACL, removed and reapplied the deny, no change
- Removed the deny from the internet-in-v2 ACL, no change
What are we missing?
---snip---
!
version 15.0
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
!
hostname fl2020-vpn001
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging console critical
!
no aaa new-model
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
!
!
ip source-route
!
!
!
!
ip cef
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip domain name ourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
vtp mode transparent
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key ***** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 600
!
!
crypto ipsec transform-set esp-3des-sha-trans esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN
set transform-set esp-3des-sha-trans
set pfs group5
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
!
interface Tunnel1
bandwidth 1536
ip address 172.18.1.83 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication *****
ip nhrp map multicast a.b.217.11
ip nhrp map 172.18.0.1 a.b.217.11
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.18.0.1
ip tcp adjust-mss 1360
ip policy route-map df-bit-clear
qos pre-classify
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
!
!
interface Tunnel2
bandwidth 768
ip address 172.18.5.83 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication *****
ip nhrp map 172.18.4.1 c.d.158.52
ip nhrp map multicast c.d.158.52
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.18.4.1
ip tcp adjust-mss 1360
ip policy route-map df-bit-clear
qos pre-classify
tunnel source FastEthernet8
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN shared
!
!
interface FastEthernet0
no cdp enable
!
!
interface FastEthernet1
no cdp enable
!
!
interface FastEthernet2
no cdp enable
!
!
interface FastEthernet3
no cdp enable
!
!
interface FastEthernet4
no cdp enable
!
!
interface FastEthernet5
no cdp enable
!
!
interface FastEthernet6
no cdp enable
!
!
interface FastEthernet7
no cdp enable
!
!
interface FastEthernet8
description Comcast
bandwidth 8192
ip address e.f.154.5 255.255.255.252
ip access-group internet-in-v2 in
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
!
interface Vlan1
description Inside Private Network
ip address 10.20.20.1 255.255.255.192
ip helper-address 192.168.0.12
no ip redirects
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1400
ip policy route-map df-bit-clear
!
!
interface Async1
no ip address
encapsulation slip
async mode interactive
!
!
!
router eigrp 111
network 10.20.20.0 0.0.0.63
network 172.18.0.0
passive-interface default
no passive-interface Tunnel2
no passive-interface Tunnel1
eigrp stub connected
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip flow-export source Vlan1
ip flow-export version 9 peer-as
ip flow-export destination 192.168.0.105 2055
!
ip route 0.0.0.0 0.0.0.0 e.f.154.6
!
!
ip access-list extended internet-in-v2
permit esp any host e.f.154.5
permit udp any eq isakmp host e.f.154.5 eq isakmp
permit icmp any host e.f.154.5 echo
permit icmp any host e.f.154.5 echo-reply
permit tcp any host e.f.154.5 eq 22
permit udp host 130.126.24.53 host e.f.154.5 eq ntp
permit udp host 198.82.162.213 host e.f.154.5 eq ntp
deny ip any any log
!
access-list 10 permit 192.168.0.105
access-list 10 permit 172.16.26.0 0.0.0.255
access-list 10 deny any
access-list 15 permit 192.168.0.5
access-list 15 deny any
no cdp run
!
!
!
!
route-map df-bit-clear permit 10
set ip df 0
!
!
!
control-plane
!
!
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
privilege exec level 10 debug
privilege exec level 2 clear line
privilege exec level 2 clear
!
line con 0
login local
line 1
login local
modem InOut
modem autoconfigure discovery
transport input all
autoselect ppp
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
line vty 0 4
access-class telnet-in in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class ssh-in in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server 130.126.24.53
ntp server 198.82.162.213
end
---snip---
