09-06-2013 02:02 PM - edited 03-04-2019 08:58 PM
I seem unable to do this. There is no 'no-payload' option in the IP NAT command neither is there a 'ip service alg tcp dns'' DNS does not seem to be being inspected either.
Can anyone suggest how I can disable DNS rewriting please.
Regards
Solved! Go to Solution.
09-06-2013 02:25 PM
Hi Alan,
The command should actually say no ip nat service alg udp dns and no ip nat service alg tcp dns - can you double check that this command is missing? The no-payload option appears to be available only with static NAT entries.
Best regards,
Peter
09-06-2013 02:25 PM
Hi Alan,
The command should actually say no ip nat service alg udp dns and no ip nat service alg tcp dns - can you double check that this command is missing? The no-payload option appears to be available only with static NAT entries.
Best regards,
Peter
09-07-2013 01:39 AM
Hi Peter, Thank you for your reply
It does appear that the ALG option is not present see below:-
Rtr(config)#no ip nat service ?
H225 H323-H225 protocol
allow-h323-even-rtp-ports Allow even RTP ports for H323
allow-h323-keepalive Allow H323 KeepAlive
allow-sip-even-rtp-ports Allow even RTP ports for SIP
allow-skinny-even-rtp-ports Allow even RTP ports for Skinny
append-ldap-search-res Append ldap search result
dns-reset-ttl Reset dns cname ttl value
fullrange allocate all available port of 1 to 65535
list Specify access list describing global addresses
ras H323-RAS protocol
sip SIP protocol
skinny skinny protocol
Rtr(config)#no ip nat service
Amy thoughts?
09-08-2013 01:41 PM
Alan,
I am not sure if I can help here. I was wondering if perhaps you could try to use the following command:
no ip port-map
I am not sure if this helps, though, as I do not know if this NBAR-related command also influences DNS ALG engine in NAT. In addition, if you are using any match protocol dns in your class-map constructs, this would stop them recognizing DNS traffic.
Otherwise, though, I am not sure if we can stop the DNS ALG in your IOS. Why are you actually trying to stop it? Are you using any internal servers whose IP addresses get translated to public IPs in DNS responses?
Best regards,
Peter
09-08-2013 11:49 PM
Hi Peter,
just a little remark: ip port-map is used by CBAC and ZBF,for NBAR the command is ip nbar port-map instead.
Can we do a match protocol in a route-map for NAT, have you ever done it before ?
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 12:08 AM
Hi Alain,
Good catch! To be honest, I was confusing those commands... thanks for clearing that up.
Can we do a match protocol in a route-map for NAT, have you ever done it before ?
I do not think we can. In all "maps" I know of, the only match protocol type of matching is in a class-map, and this class-map is then referred to by a policy-map. I do not believe I have seen any match rule in route-maps that could refer to a class-map or a policy-map.
What is your idea here, anyway?
Best regards,
Peter
09-09-2013 12:28 AM
Hi Peter,
I was thinking that it was impossible too and so I was asking myself how changing the port-mapping could solve the problem and that's why I asked you about it.
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 01:15 AM
Hi Alain,
Oh, I get you now. My idea was that perhaps the DNS ALG used by NAT internally uses NBAR to recognize specific types of traffic - just a hypothesis... and preventing NBAR from recognizing the DNS traffic on port 53 would in effect deactivate the DNS ALG. As I said - it was just a hypothesis.
Still, it would be nice if Alan could test whether no ip port-map or no ip nbar port-map works for him!
Best regards,
Peter
09-09-2013 01:52 AM
Hi Peter, Alain
Thanks for input I will give those suggstions a test later today and report back.
Regards,
09-09-2013 07:42 AM
Ok I have tried no ip port-map dns but this does not disable DNS rewriting. When I try no ip nbar it appears that option is not supported.
My reason for doing this is that I am having a look at Outlool anywhere and wanted to disable rewriting to eliminate that variable from my testing.
Regards.
09-09-2013 07:49 AM
Alan,
I am still wondering... Can you post your complete NAT configuration?
Best regards,
Peter
09-09-2013 08:05 AM
Hi Peter you are some determined man!! :-)
NAT config:-
ip nat inside source list DMZ_Clients interface Dialer1 overload
ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
ip nat inside source static 192.168.253.10 one_of_my_external_IPs
The 4 port router is divided into two VLANs each a member of a bridge group with separate beacons.
The inside_clients are on a 192.168.253.0/24 net
The DMZ_clients (other VLAN) are on public IP subnet using IP addresses that are not actually mine !!! (this is a historical not to say hysterical hang over from an earlier config - it could be changed but as far as I can see should have no affect)
The Dialer1 address is a dynamically acquired (but fixed) IP from the ISP.
Is that enough info?
Regards
09-09-2013 08:16 AM
Alan,
I am not sure if I'm determined or stubborn... and it probably won't do much good anyway but I do not want to miss anything.
The ip nat inside source static command should have the option of using no-payload at its very end. Does your IOS give you that option? Would it help in your case?
How exactly do the DNS contents get rewritten, i.e. what exact two addresses get exchanged? I am trying to understand what information actually does the IOS use to rewrite the DNS payloads, as apart from the static mapping you have, the IOS does not seem to have enough information which addresses to rewrite and how.
Best regards,
Peter
09-09-2013 08:49 AM
Peter, Once again thanks. I will try and make a resume at this point.
As per your early remark the no-payload option is available on the static nat and indeed works by disabling DNS rerwriting.
However I have been working on a client using the dynamic nat, this is where I have been testing the Outlook Anywhere functionality.
It's looking that I can only disable the rewriting on the static NATs as per your no-payload observation.
Unless you have any other suggestion I suggest that I mark this thread closed and will allocate 'correct answer' to your most recent post.
Regards,
09-10-2013 12:35 AM
Hi Alan,
Sadly, no more suggestions at this point, apart from upgrading your IOS to a version that supports the ip nat service alg commands.
I am thankful for your generosity but as we haven't really solved the problem, I don't think any of my answers deserves a "correct answer" grading.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide