Conditional Destination NAT Not working to Cisco Umbrella

yoav-shneor · ‎10-08-2023

Trying to change a packet destination according to DNS port ( 53 )
when a PC goes to an internal DNS server i want to change it to Umbrella DNS address.
should be a destination NAT but something is not working correct .
Any one got a working example ?
Can it be a limitation on the C900-UNIVERSALK9-M Software ?

ip nat pool Test1 208.67.220.220 208.67.220.220 netmask 255.255.255.252 //DNS Pool

ip nat outside source list dns1 pool Test1 // the actual Nat

ip access-list extended dns1 // LAN source to original DNS
permit udp 192.168.1.0 0.0.0.255 host 192.168.111.1 eq domain

// interfaces
interface Ethernet0
description WAN
ip nat outside
ip nat enable
ip virtual-reassembly in

interface Vlan1
description LAN
ip nat inside
ip nat enable
ip virtual-reassembly in

MHM Cisco World · ‎10-08-2023

This NAT not work I think you need

1- remove ip nat enable from both interface

2- change NAT to be NAT with route-map

So if source is x and destiantion is Y then this NAT will work.

Try above and check

yoav-shneor · ‎10-08-2023

Hi MHM ,

configured as following , still no translation

interface Ethernet0
description WAN
ip nat outside
ip virtual-reassembly in

interface Vlan1
description LAN
ip nat inside
ip virtual-reassembly in

ip nat pool umbrella 208.67.220.220 208.67.220.220 prefix-length 30

ip nat outside source route-map switch_dns pool umbrella

access-list 101 permit udp 192.168.1.0 0.0.0.255 host 192.168.111.1 eq domain

MHM Cisco World · ‎10-08-2023

Why you use

Ip nat outside?

yoav-shneor · ‎10-08-2023

i am not sure about it ... tried alread some wayes.
i am trying to rewrite the destination "outside local" point of view.
I can change it and test again

yoav-shneor · ‎10-09-2023

Hi MHM

Changed it to inside , still no translation . and int the sh ip nat statistics i have 755 misses

Router#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 30, occurred 19:37:03 ago
Outside interfaces:
Ethernet0
Inside interfaces:
Vlan1
Hits: 515 Misses: 0
CEF Translated packets: 515, CEF Punted packets: 2125
Expired translations: 71
Dynamic mappings:
-- Inside Source
[Id: 9] route-map switch_dns pool umbrella refcount 0
pool umbrella: netmask 255.255.255.252
start 208.67.220.220 end 208.67.220.220
type generic, total addresses 1, allocated 0 (0%), misses 755

ip nat pool umbrella 208.67.220.220 208.67.220.220 prefix-length 30
ip nat inside source route-map switch_dns pool umbrella
access-list 101 permit udp 192.168.1.0 0.0.0.255 host 192.168.111.1 eq domain

MHM Cisco World · ‎10-13-2023

Can you share simple topolgy' I will run lab and test some NAT command.

Waiting your reply.

MHM

paul driver · ‎10-13-2023

Hello

@yoav-shneor wrote:
when a PC goes to an internal DNS server i want to change it to Umbrella DNS address.
should be a destination NAT but something is not working correct .

Your on the right track using domainless nat, Try the following

EDITED:
interface Ethernet0
no ip nat outside

interface Vlan1
no ip nat inside

no ip nat outside source list dns1 pool Test1
ip nat source list dns1 pool Test1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yoav-shneor · ‎10-14-2023

Hello Paul

Sorry I don't understand the term domainless nat.

I perform nat to change the IP of the domain to which it was addressed. What you actually wrote cancels all the nat commands, so how exactly will the destination domain be replaced?

The red arrow is the original dns request . i need to catch it on the router , change the destination and send it along ther green arrow,

paul driver · ‎10-15-2023

Hello
I believe by default cisco IOS doesn't perform recursion or resolve DNS queries it only acts to forward these queries to the specified dns servers for resolution, domainless- NVI NAT (no inside/outside domains) works a bit differently in that it perform two lookups-

1) The NAT translation table is used to make a route decision to send packet to nat virtual interface (NVI) where the ip packet is translated
2)Then another route decision takes place, followed by the packet being forwarded

So with NVI NAT a routing decision is now taken twice before and after translation (including return traffic)

Apply the config i posted previously and test, although ive just noticed a typo , it should have read.

interface Ethernet0
no ip nat outside

interface Vlan1
no ip nat inside

no ip nat outside source list dns1 pool Test1
ip nat source list dns1 pool Test1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yoav-shneor · ‎10-16-2023

Hello Paul,

For now Testing site works with the following config

interface Ethernet0.103
Desc WAN
ip nat outside

interface Vlan1
Desc LAN
ip nat inside

// internal DNS staticly change to umbrella dns .

ip nat outside source static network 208.67.220.220 192.168.1.1 /32
ip nat outside source static network 208.67.222.222 192.168.1.4 /32

I will update after customer test some more Apps .

TNX