Solved: DNS issue

wasahongNYC · ‎02-28-2013

hello everyone,

I'd like to ask some question about DNS issue.

Please help me when you get a chance.

Thanks in advance.

For easy to understand, I just simplified the diagram.

now, the connectivity is

from router and switch, I can ping 4.2.2.2,

it works very well.

also,

when I ping www.google.com by Gi0/0 interface of router,

it works very well.

but,

when I tried to ping www.google.com by Gi0/1 interface of router,

it does NOT work.

the same issue with the switch as well.

that's it.

I appreciate your help since I stuck at this issue for almost 1 week.

Thanks,

router configuration

upgrade fpd auto

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname on-router-1

boot-start-marker

boot-end-marker

logging buffered emergencies

enable password 7 055B0F04715F1F5B4A44

no aaa new-model

ip cef

!

ip domain round-robin

ip domain name xxxxxx

ip name-server 4.2.2.2

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface Loopback100

description mgmt interface

ip address 10.0.100.13 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/0

description ISP A circuit order XXXXXXXXXX

ip address *.*.*.* 255.255.255.248

ip accounting output-packets

ip nat outside

ip nat enable

no ip virtual-reassembly

duplex full

speed 1000

media-type sfp

no negotiation auto

!

interface GigabitEthernet0/1

description uplink to on-main-1 interface g 1/0/12

ip address 192.168.2.253 255.255.255.0

ip accounting output-packets

ip nat inside

ip nat enable

no ip virtual-reassembly

duplex full

speed 1000

media-type sfp

no negotiation auto

standby 2 ip 192.168.2.254

standby 2 priority 110

standby 2 preempt

!

interface GigabitEthernet0/2

ip address 192.168.3.253 255.255.255.0

no ip redirects

duplex full

speed 1000

negotiation auto

standby 3 ip 192.168.3.254

standby 3 priority 110

standby 3 preempt

!

interface GigabitEthernet0/3

no ip address

duplex full

speed 1000

no negotiation auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 *.*.*.*

ip route 10.1.0.0 255.255.0.0 192.168.2.1

ip route 10.1.20.0 255.255.255.0 192.168.2.13

no ip http server

!

ip dns server view-group XXXXX

ip dns server

ip nat pool inside 192.168.0.0 192.168.0.253 netmask 255.255.255.0

ip nat source list 100 interface GigabitEthernet0/0 overload

!

logging alarm informational

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit ip any any

access-list 100 permit udp any any

!

control-plane

gatekeeper

shutdown

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 5

password 7 045802150C2E

login

end

switch configuration

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname on-main-1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$zuuI$IrnVd/YzecdoMi/oEnyoI1

enable password 7 1511021F0725

!

no aaa new-model

switch 1 provision ws-c3750x-12s

system mtu routing 1500

!

ip name-server 4.2.2.2

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Loopback100

ip address 10.0.100.15 255.255.255.255

!

interface FastEthernet0

no ip address

shutdown

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/4

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/5

description uplink to asa12 port 0/0

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/6

description uplink to router02 port g 0/1

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/11

description uplink to asa11 port 0/0

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/12

description uplink to router01 port g 0/1

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/1

!

interface TenGigabitEthernet1/1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.2.4 255.255.255.0

!

ip default-gateway 192.168.2.254

!

ip http server

ip http secure-server

!

logging esm config

!

line con 0

line vty 0 4

password 7 02050D480809

login

line vty 5

password 7 02050D480809

login

line vty 6 15

login

!

monitor session 1 source interface Gi1/0/12

monitor session 1 destination interface Gi1/0/2

end

jawad-mukhtar · ‎02-28-2013

ip nat source list 100 interface GigabitEthernet0/0 overload - See more at: https://supportforums.cisco.com/message/3869592#3869592

no ip nat source list 100 interface GigabitEthernet0/0 overload

ip nat inside source list 100 interface Gigabitethernt 0/0 overload

*** Do Rate Helpfu Posts***

Jawad

View solution in original post

jawad-mukhtar · ‎02-28-2013

ip nat source list 100 interface GigabitEthernet0/0 overload - See more at: https://supportforums.cisco.com/message/3869592#3869592

no ip nat source list 100 interface GigabitEthernet0/0 overload

ip nat inside source list 100 interface Gigabitethernt 0/0 overload

*** Do Rate Helpfu Posts***

Jawad

wasahongNYC · ‎02-28-2013

hi Jawad,

it can work, thanks,

but ...

they are NAT messages showing up.

There is still something wrong with NAT.

may you help me check it when you are free ?

I am going to search it on Google as well.

Thank you very much,

------------------------------------------------------------------------------------------------------------

*Feb 28 12:56:23.544: NAT*: Can't create new inside entry - forced_punt_flags: 0

*Feb 28 12:56:23.544: mapping pointer available mapping:0

*Feb 28 12:56:23.544: NAT: [0] Allocated Port for 192.168.2.4 -> *.*.*.*: wanted 64542 got 64542

*Feb 28 12:56:23.544: NAT: i: udp (192.168.2.4, 64542) -> (4.2.2.2, 53) [0]

*Feb 28 12:56:23.544: NAT (UDP-DNS): Before Translation

*Feb 28 12:56:23.544: NAT: Translation of UDP DNS src 192.168.2.4, dst 4.2.2.2

*Feb 28 12:56:23.544: NAT: Dns type of Query

*Feb 28 12:56:23.544: : dns len=20, id=38, aa=0, tc=0, rd=1, ra=0

*Feb 28 12:56:23.544: : opcode=0, rcode=0, qdcount=1

*Feb 28 12:56:23.544: : ancount=0, nscount=0, arcount=0

*Feb 28 12:56:23.544: NAT (UDP-DNS): After Translation

*Feb 28 12:56:23.544: NAT: Translation of UDP DNS src 192.168.2.4, dst 4.2.2.2

*Feb 28 12:56:23.544: NAT: Dns type of Query

*Feb 28 12:56:23.544: : dns len=20, id=38, aa=0, tc=0, rd=1, ra=0

*Feb 28 12:56:23.544: : opcode=0, rcode=0, qdcount=1

*Feb 28 12:56:23.544: : ancount=0, nscount=0, arcount=0

*Feb 28 12:56:23.544: NAT: s=192.168.2.4->*.*.*.*, d=4.2.2.2 [0]

*Feb 28 12:56:23.556: NAT: o: udp (4.2.2.2, 53) -> (*.*.*.*, 64542) [1435]

*Feb 28 12:56:23.556: NAT (UDP-DNS): Before Translation

*Feb 28 12:56:23.556: NAT: Translation of UDP DNS src 4.2.2.2, dst *.*.*.*

*Feb 28 12:56:23.556: NAT: Dns type of Response

*Feb 28 12:56:23.556: : dns len=116, id=38, aa=0, tc=0, rd=1, ra=1

*Feb 28 12:56:23.556: : opcode=0, rcode=0, qdcount=1

*Feb 28 12:56:23.556: : ancount=6, nscount=0, arcount=0

*Feb 28 12:56:23.556: query name is www.google.com, qtype=1,

*Feb 28 12:56:23.556: Answer section:

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.99

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.106

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.103

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.147

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.105

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.104

*Feb 28 12:56:23.556: Authority section:

*Feb 28 12:56:23.556: Additional record section:

*Feb 28 12:56:23.556: NAT (UDP-DNS): After Translation

*Feb 28 12:56:23.556: NAT: Translation of UDP DNS src 4.2.2.2, dst *.*.*.*

*Feb 28 12:56:23.556: NAT: Dns type of Response

*Feb 28 12:56:23.556: : dns len=116, id=38, aa=0, tc=0, rd=1, ra=1

*Feb 28 12:56:23.556: : opcode=0, rcode=0, qdcount=1

*Feb 28 12:56:23.556: : ancount=6, nscount=0, arcount=0

*Feb 28 12:56:23.556: query name is www.google.com, qtype=1,

*Feb 28 12:56:23.556: Answer section:

*Feb 28 12:56:23.556: Name='www.google.com'

*Feb 28 12:56:23.556: RR type=1,, ttl=230, data length=4

*Feb 28 12:56:23.556: IP=74.125.26.99

------------------------------------------------------------------------------------------------------------

arvind_data · ‎02-28-2013

use this configuration , it will work

===========

R1#sh run
Building configuration...

Current configuration : 814 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 4.2.2.10
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.253 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat pool inside 192.168.0.0 192.168.0.253 netmask 255.255.255.0
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
access-list 100 permit udp any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

R1#
R1# ping
Protocol [ip]:
Target IP address: 4.2.2.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.253
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.253
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/14 ms

R1#

wasahongNYC · ‎02-28-2013

I can ping IP but I am not able to ping domain.

jawad-mukhtar · ‎02-28-2013

Your Access-list Wild Card Bit is wrong

no access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip any any

access-list 100 permit udp any any

Jawad

jawad-mukhtar · ‎02-28-2013

Check Default Router Next Hope is Valid Hope

ip route 0.0.0.0 0.0.0.0 interface gigabit 0/0

*** Do Rate Helpful Posts***

Jawad

wasahongNYC · ‎03-01-2013

my router is 7201 series.

when I configure ip route 0.0.0.0 0.0.0.0 interface gigabit 0/0

I was not able to type the word "interface",

only ip route 0.0.0.0 0.0.0.0 gigabit 0/0

after this,

it was getting worse,

pinging IP(4.2.2.2) was not working.

ip route 0.0.0.0 0.0.0.0 interface gigabit 0/0

wasahongNYC · ‎02-28-2013

the point is that I need both 192.168.2.0 / 24 and 192.168.3.0 / 24 for failover.

for simplicity, I didn't post the full diagram.

paul driver · ‎02-28-2013

Hello,

Looks like you have enabled 2 kinds of nat- So the natting order is different depending on which one you are using.

Never used both at the same time so I cannot comment on the effects, I would suggest to use one or the other but not both.

Your nat pool is specifying non routable ip address, the pool should be public ip addressing so nat can translate into from your lan subnet specified by your acl , in any case you haven't specified the pool in the final nat translation command.

Also your acl has contradicting ace statements.

Try this:

int gig0/

ip nat outside

no ip nat enable

int gig0/1

ip nat intside

no ip nat enable

no access-list 100

access-list 1 permit ip 192.168.0.0 0.0.255.255

ip nat inside source list 1 interface gig0/0 overload

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

wasahongNYC · ‎03-01-2013

thanks,

but it is not working either.

jawad-mukhtar · ‎03-01-2013

how are you ping dns from your Gig 0/1. Other thing this is not at client side mean to say Inside LAN users.

Jawad

jawad-mukhtar · ‎03-01-2013

Post your recent config

Jawad

wasahongNYC · ‎03-01-2013

ip route 0.0.0.0 0.0.0.0 X.X.X.X

.....

ip nat pool mypool X.X.X.X X.X.X.X netmask 255.255.255.252

ip nat inside source list 1 pool mypool overload

access-list 1 permit 192.168.2.0 0.0.0.255

.....

It is working now.

Thank you so much for the help

wasahongNYC · ‎03-01-2013

It can work even I did NOT configure this,

---------------------------

int gig0/

ip nat outside

no ip nat enable

int gig0/1

ip nat intside

no ip nat enable

-------------------------------------

thank you anyway,