I'm pretty new to business-level routers (I have programming and certain Ubuntu system admin experience though) but I'm facing a problem with Cisco 4431 router.
We have a client with quite strict security policy. The router resides in client's network, with external IP (126.96.36.199) assigned by client's network. The router manages a few Ubuntu servers (X, Y, Z, etc).
From my computer at my home, I can log into client's VPN and then access the router with ssh command, like
or access server X with command like
>ssh -p 2210 firstname.lastname@example.org
When I ssh into X, I issue command
>wget https://www.gnu.org/software/wget # I have wget installed actually, just to test internet connection
I got error like
>wget: unable to resolve host address: 'ftp.gnu.org'
I think I've set the networking files like "interfaces" correctly on server X and believe it's the client's firewall setting. However, the client's IT department says they don't block anything.
To avoid the possibility that I didn't configure X correctly, I also ssh into the router, and I issue command
#show ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 172.24.62.135:1 192.168.2.10:15172 188.8.131.52:15172 184.108.40.206:1
tcp 172.24.62.135:2210 192.168.2.10:22 10.132.63.11:43853 10.132.63.11:43853
udp 172.24.62.135:1064 192.168.2.11:21803 220.127.116.11:53 18.104.22.168:53
Total number of translations: 114
I think this says the router is able to sending out outbound requests. However I wonder if there's any command that can show the router is sending outbound to www.gnu.org or www.google.com, but is blocked by the network. An imagined command like this:
sending request out; sent; returned message saying you are blocked
I don't know much about router commands. Can you please help? TIA
Solved! Go to Solution.
Once you loging to your X Server
First do nslookup ftp.gnu.org (check are you able to resolve the DNS resolutions)
if it is resolved. you see DNS Entries like below.
then use telnet command to test you have access from server to internet
telnet ftp.gnu.org 443 <-- this show you have access or not.
if this fails, then you need to contact client and ask any ACL in the router which was blocking ?
to verify if the router is able to resolve a host in the internet you can simply use from the router shell:
About your NAT translations the last line :
>> udp 172.24.62.135:1064 192.168.2.11:21803 22.214.171.124:53 126.96.36.199:53
This actually is a DNS request as the destination UDP port is 53.
So I would say your router NAT is correctly allowing and translating DNS requests.
To be noted the inside global address is actually a private address too. I mean 172.24.62.135 is not a public address. If you haven't changed it manually to mask your real public address, there can be another device before going to the public internet.
Hope to help
Thanks for reply.
% Unrecognized host or address, or protocol not running.
172.24.62.135 is the IP assigned by the client to the router
If the NAT last line indicates router is set up correctly, I'll use this line to tell the client's IT person, although I was hoping to see a more direct command/return to say "block" or something similar. :)
>> the NAT last line indicates router is set up correctly, I'll use this line to tell the client's IT person
That line tells that a DNS query coming from inside is correctly translated to outside.
I see that you have opened a new thread.
>> 172.24.62.135 is the IP assigned by the client to the router
As I have noted in my previous post this is NOT a public IP address . It is a private address in RFC 1918. This means that another NAT process is performed later in another device that is not your router.
You need to take in account this fact. And the issues that you experience can be located there in the second device that you do not control.
Hope to help
>> By "second device that you do not control", you mean a device that manages my router at a higher level
No, I mean the device that performs the next NAT operation.
As I have explained many times you can not go to the public internet with a source address 172.24.x.y because it is private address ( see RFC 1918 to verify).
So some other device near your device or in the service provider network performs another NAT operation.
Try to use a web site that tells you the IP address
for example go to
and look at Your address field on top right corner it will not show 172.24.x.y
I hope to have been clear now
Perform your tests and you can come to the same conclusion: there is another NAT device in the path to the internet.
Your device allows DNS requests to be NATTED as we have seen before, what about the next NAT device ?
This is the right question to put to your customer
Hope to help
This is an IPv6 address !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The device after yours is performing NAT64 means that is translating a private IPv4 address to a public IPv6 address.
Now, it is more clear why you have DNS issues.
>> However, the client IT says, you can ping 188.8.131.52 positively, that means no problem
No, because a translation between IPv4 and IPv6 is happening DNS requests have to be handled in a smart way
In short IPv6 addresses have AAAA records in DNS
IPv4 addresses have A record in DNS.
IF an IPv6 host makes a DNS request would get an AAAA response from the DNS server. (the IPv6 address of the site)
You would need the DNS request to be "tuned" in order to get back the A record from the DNS server.(the IPv4 address)
Hope to help
ip name-server 184.108.40.206
And see if the behaviour changes and the DNS issue is solved.
Hope to help
"unable to resolve host address: 'ftp.gnu.org"
this does not say it cannot make contact, this says it cannot resolve the hostname to an ip address
-> SSH into the X and issue command "nslookup ftp.gnu.org" or maybe "dig gnu.org any"