Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1746
Views
5
Helpful
4
Replies

DNS issue out a NAT

scottyd
Level 1
Level 1

‎10-23-2009 12:53 AM - edited ‎03-04-2019 06:28 AM

I have a Cisco 877 that has a ADSL interface and two internal VLANS assigned to different switch ports. Running ADV IP Services.

The problem I have is that I cannot get the host in the VLAN3 (192.168.100.75) to access DNS servers on the Internet. There are no denies from the access lists and it can seem to access everything else on the internet and even DNS on the other VLAN. Hosts on the other VLAN have no problem accessing DNS servers on the Internet.

Attached is the sanitised config. If anyone has any ideas that would be great. I have opened up the access-lists to access an internal DNS for the mean time.

Labels:
Preview file
6 KB
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎10-23-2009 01:07 AM

Hi Scott,

I have went briefly over your configuration - it does not seem to have any obvious errors. Are you suggesting that the host 192.168.100.75 cannot talk to outside DNS servers? What exactly does it mean? Is it able to at least ping them? Is it possible to see in Wireshark if the DNS queries are indeed sent out? Are also any DNS responses arriving back?

Let's try to have a close look on what exactly happens to the DNS queries sent by that host. I also suggest creating an ACL 1 in the form

access-list 1 permit 192.168.100.75

and then running the

debug ip nat 1 detailed

to see what exactly is going on at the router.

Best regards,

Peter

0 Helpful

scottyd
Level 1
Level 1
In response to Peter Paluch

‎10-24-2009 10:32 AM

Hi Peter,

Thanks for the reply. Yes that is right the host 192.168.100.75 cannot get a response from any DNS servers. They don't respond to ping, as far as I know, so we can't test that. I do see a translation in place for the servers though.

The router is in another country, so it is hard to get a wireshark capture, but your other ideas may help.

Thanks

0 Helpful

lgijssel
Level 9
Level 9

‎10-23-2009 01:14 AM

Are you using the same DNS for both vlans? From your acl WAN_IN it appears that only one dns is allowed from the outside:

ip access-list extended WAN_IN

permit udp host 139.130.4.5 eq domain any

regards,

Leo

scottyd
Level 1
Level 1
In response to lgijssel

‎10-24-2009 10:40 AM

Hi Leo,

Thanks for the reply. I have tried the same DNS server from both hosts, actually not 139.130.4.5. I am not sure why that is there. I think the statefull firewall will allow the return traffic.

Regards,

Scotty

0 Helpful
Customers Also Viewed These Support Documents