Re: Cisco 887VA - NAT & DNS problem

MasterPrenium · ‎06-04-2013

Dears guys,

I'm currently having some problem while trying to correctly setup my Cisco887VA modem.

First of all I usually use netfilter with all NAT, etc ... features, but I'm quite a noob in cisco and I want to learn more.

The problem is that I want to redirect all internet traffic coming from the Internet to my Linux Gateway which will do further nat actions, filtering, etc ... (IPv4 : 192.168.3.2).

I finally got this action working, ( ip nat inside source static 192.168.3.2 interface Dialer0 ) but when I setup the nat to do this, I don't have anymore DNS working with my ISP DNS servers. Without the nat the cisco can resolve without any problem.

I would like to setup a rule which will be something like : redirect with nat all traffic coming from Internet to 192.168.3.2, but if it's the modem that request an IP with dest port = 53, then don't do the nat on this connection.

Note also that I get my IPv4 from my ISP via ipcp.

I hope this is clear.

Here is my full config :

Current configuration : 2004 bytes

!

! Last configuration change at 14:03:26 UTC Tue Jun 4 2013

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco887

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxx

enable password xxxx

!

no aaa new-model

!

no process cpu extended history

no process cpu autoprofile hog

memory-size iomem 10

crypto pki token default removal timeout 0

!

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO887VA-SEC-K9 sn xxxxx

!

controller VDSL 0

firmware filename flash:VA_A_35l_B_35l_23j.bin

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

no ip address

shutdown

no cdp enable

!

interface FastEthernet1

no ip address

shutdown

no cdp enable

!

interface FastEthernet2

no ip address

shutdown

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface Vlan1

ip address 192.168.3.123 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxx

ppp chap password xxxxxx

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static 192.168.3.2 interface Dialer0

!

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 12 permit 192.168.3.0 0.0.0.255

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 12 in

password cisco

login

transport input all

!

end

Alessio Andreoli · ‎06-04-2013

Int vlan 1
Ip helper-address dns_ip_address
End
Wr

Hope this helps
Alessio

Sent from Cisco Technical Support iPad App

MasterPrenium · ‎06-05-2013

Hello,

No that doesn't help.

Note also that I get my dns servers from my isp by the ppp session.

Thanks.

Nat debugging :

80.10.246.7 is my ISP DNS server

86.198.231.238 is my public IPv4 address

Jun 5 16:47:04.795: NAT*: o: udp (80.10.246.7, 53) -> (86.198.231.238, 60648) [10432]

Jun 5 16:47:04.795: NAT: o: udp (80.10.246.7, 53) -> (86.198.231.238, 60648) [10432]

Jun 5 16:47:04.795: NAT (UDP-DNS): Before Translation

Jun 5 16:47:04.795: NAT: Translation of UDP DNS src 80.10.246.7, dst 86.198.231.238

Jun 5 16:47:04.795: NAT: Dns type of Response

Jun 5 16:47:04.795: : dns len=54, id=22398, aa=0, tc=0, rd=1, ra=1

Jun 5 16:47:04.795: : opcode=0, rcode=0, qdcount=1

Jun 5 16:47:04.795: : ancount=1, nscount=0, arcount=1

Jun 5 16:47:04.795: Answer section:

Jun 5 16:47:04.795: Authority section:

Jun 5 16:47:04.795: Additional record section:

Jun 5 16:47:04.795: NAT (UDP-DNS): After Translation

Jun 5 16:47:04.795: NAT: Translation of UDP DNS src 80.10.246.7, dst 86.198.231.238

Jun 5 16:47:04.795: NAT: Dns type of Response

Jun 5 16:47:04.795: : dns len=54, id=22398, aa=0, tc=0, rd=1, ra=1

Jun 5 16:47:04.795: : opcode=0, rcode=0, qdcount=1

Jun 5 16:47:04.795: : ancount=1, nscount=0, arcount=1

Jun 5 16:47:04.795: Answer section:

Jun 5 16:47:04.795: Authority section:

Jun 5 16:47:04.795: Additional record section:

Jun 5 16:47:04.795: NAT: s=80.10.246.7, d=86.198.231.238->192.168.3.2 [10432]

The problem is that the packet is forwarding back to 192.168.3.2 even if it's the cisco who made the DNS request.

show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 86.198.231.238:53265 192.168.3.2:53265 80.10.246.7:53 80.10.246.7:53

It should be 192.168.3.123 instead of 192.168.3.2 if I correctly understand what infos is displayed.

blau grana · ‎06-05-2013

Hello,

You have configured static translation so everything coming to your router with destination IP 86.198.231.238 will be forwarded to private IP 192.168.3.2.

You can not use one public IP for static NAT and also PAT. Delete PAT configuration from your router.

no ip nat inside source list 1 interface Dialer0 overload

Connect all host in your LAN to your Linux box and NAT them, otherwise they will not be able to reach internet.

To your problem with DNS.

After you do everything what I wrote earlier, you can choose two options how to configure DNS.

I assume that you run DHCP on your Linux box. Configure DHCP to send clients DNS IP public addresses.

Or you can use your router as DNS relay, DHCP will sent clients IP address of your router as DNS server [192.168.3.123]. But additionally you need to configure this on your router:

ip domain-lookup

ip dns server

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

MasterPrenium · ‎06-05-2013

Hello, thanks for your answer.

I did what you said (no ip nat inside source list 1 interface Dialer0 overload)

And your right, I've a dhcp server running on the Linux box, I temporaly fix the issue by using the google public DNS server, but I would prefer using my ISP (via the cisco) DNS servers.

Here is my "Internet" schema:

{Internet} <======>[Public IP Dyn. Allocated - Cisco887- 192.168.3.123]<======>[192.168.3.2 - Linux Gateway - 192.168.2.254] <=====>{One part of my network}

The LinuxBox has also some other networks connected.

Regarding the DNS problem, it still remains, I can't use the cisco router as a DNS server, neither it can access the Internet (ie : a ping to 8.8.8.8 doesn't work for example), because all packets are still forwarded to the Linux Box(192.168.3.2).

Is there a way to exclude forwarding packet in the case the connection was initialized by the Cisco ?

blau grana · ‎06-05-2013

Hello,

You are right, cisco as DNS relay will no work, all returning traffic will be forwarded to Linux box. There is nothing we can do about it.

Configure Linux box to use your ISP's DNS server in DHCP, I think that is only solution you got in your scenario.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

MasterPrenium · ‎06-05-2013

That's was I was thinking about .

There is no way to setup something that is called a "DMZ" in most of the basic modem/router that can be found everywhere ?

Theses modems usually have this "DMZ" option in the config interface in which we indicate a private IP address in order to have all Internet traffic redirected to ? But theses modems are able to act as a DNS server, and ping public IPs etc ...