Solved: DNS issue with NAT NVI

bakersdozen1 · ‎04-07-2014

I was wondering if anyone could advise on the following issue that I am trying to overcome. I have a current setup with NAT using the inside/outside translations but this is not sufficient as I need systems on the LAN to access the global public IP. I have read and set up NAT NVI to allow for this to be possible. My only issue is now that NAT NVI has been configured I can no longer resolve any DNS queries. I can successfully ping and browse to pages using only the IP address but all attempts to resolve DNS with either my ISP's DNS server and google's DNS (8.8.8.8) fail. I enabled debug for NAT and get the following dropped packets every time I try to hit DNS:

*Apr 7 03:08:33.747: NAT: s=192.168.2.161->11.22.33.215, d=8.8.8.8 [31362]

*Apr 7 03:08:33.795: NAT-NVI: translation failed (A), dropping packet s=8.8.8.8 d=11.22.33.215

I don't see how these could be rejected as there are no ACL's, but surely there is something I am missing. I have included a portion of my running config to possibly track down the issue. This is running on a cisco 1921 router with gigE 0/0 port being the internet interface. Interface 0/1 has a few VLANs on it and we are using an internal DNS server of 192.168.1.20 but I have been testing this by setting my client machine's DNS to 8.8.8.8 for the time being.

Current configuration : 2044 bytes
!
! Last configuration change at 03:05:26 UTC Mon Apr 7 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.1.20 68.105.28.11 68.105.29.12
domain-name mydomain.com
!
!
!
ip name-server 192.168.1.20
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 11.22.33.215 255.255.255.240
ip nat enable
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
ip nat enable
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1
ip address 192.168.1.1 255.255.255.0
ip nat enable
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat enable
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3 native
ip address 192.168.3.1 255.255.255.0
ip nat enable
!
ip default-gateway 11.22.33.209
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source list 2 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.1.4 443 interface GigabitEthernet0/0 443
ip nat source static tcp 192.168.1.25 80 interface GigabitEthernet0/0 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 11.22.33.209
!
access-list 1 permit any
access-list 2 permit any
dialer-list 1 protocol ip permit
!

paul driver · ‎04-07-2014

Hello

My understanding By default cisco IOS doesn't perform recursion or resolve DNS queries it only acts to forward these queries to the specified dns servers for resolution.

Also domainless NAT performs a bit differently in that it perform 2 lookups-

1) The NAT translation table is used to make a route decision to send packet to nat virtual interface (NVI) where the ip packet is translated
2)Then another route decision takes place, followed by the packet being forwarded.

As for you configuration and you try this:

no access-list 1
no access-list 2
no ip nat source list 2 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.1.0 0.0.3.255

no ip default-gateway 11.22.33.209

Ip routing

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎04-07-2014

Hello

My understanding By default cisco IOS doesn't perform recursion or resolve DNS queries it only acts to forward these queries to the specified dns servers for resolution.

Also domainless NAT performs a bit differently in that it perform 2 lookups-

1) The NAT translation table is used to make a route decision to send packet to nat virtual interface (NVI) where the ip packet is translated
2)Then another route decision takes place, followed by the packet being forwarded.

As for you configuration and you try this:

no access-list 1
no access-list 2
no ip nat source list 2 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.1.0 0.0.3.255

no ip default-gateway 11.22.33.209

Ip routing

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bakersdozen1 · ‎04-13-2014

Thank you very much Paul this resolved my NAT NVI issue! I'm still getting my bearings on configuring routers so thanks for pointing out my mistake!

bakersdozen1 · ‎04-13-2014

While performing some further testing with the above solution I found an issue where my local DNS server is no longer working as expected with machines located on different VLANs. The DNS server for this domain is located at 192.168.1.20 (VLAN1) which is being given out via DHCP to the clients that are on the 192.168.2.X (VLAN2) subnet.

Currently all DNS requests are only working for machines that are within the VLAN 1 (192.168.1.X) and all other VLANs are failing forcing requests to go to our ISPs DNS server. This works for internet purposes but internal services no longer function.

I believe this is an issue with the current routing table but am not sure. My client machine on VLAN2 (ip 192.168.2.100) can successfully communicate (ping, SSH) with the DNS server, but local DNS queries are not making it across the router.

I tried running some debug on the router to track down the issue but was getting flooded with NAT NVI translations making it fairly difficult to troubleshoot this. I still trying to get smart on the debug features.

Here is a sample output from show ip route:

Gateway of last resort is 11.22.33.209 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 11.22.33.209, GigabitEthernet0/0
11.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 11.22.33.208/28 is directly connected, GigabitEthernet0/0
L 11.22.33.215/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1.1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/1.2
L 192.168.2.1/32 is directly connected, GigabitEthernet0/1.2
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, GigabitEthernet0/1.3
L 192.168.3.1/32 is directly connected, GigabitEthernet0/1.3

I am open to any comments or suggestions!