DNS query fails behind NAT-Router (ISR 4321)

callen15 · ‎01-26-2022

Hello, After successfully getting our 161 VLAN (192.168.10.1/24) to NAT to VLAN 20 (10.4.20.253), I'm having issues with DNS resolution. I've been able to ping external IP addresses such as those in our production network and externally ex..(8.8.8.8).

I performed a packet capture on the switch that's connecting the 10.4.20.253 interface and was able to determine that DNS Queries are being sent out and returned to the 10.4.20.253 interface but for whatever reason, the 192 hosts aren't getting the reply.

Attached below is my ISR4321 startup-config. Any help is greatly appreciated.

Flavio Miranda · ‎01-26-2022

Hi

Try to use a different IP address for NAT. It is not good to use the Interface Ip address as the NAT IP address.

interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address 10.4.20.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!

ip nat pool NAT_POOL 10.4.20.253 10.4.20.253 netmask 255.255.255.0

callen15 · ‎01-26-2022

That appears to have fixed the DNS issue. But it looks like it's working intermittently. Also, I'm trying to give my managed switch an IP from the g0/0/0.2 interface. It's not wanting to obtain an address though.

Georg Pauwen · ‎01-26-2022

Hello,

your access list 1 does not look right:

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.4.1.0 0.0.0.255
access-list 1 permit 10.4.20.0 0.0.0.255

It includes Vlan 2, but no 'ip nat inside' is configured on that subinterface.

interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2 native
ip address 10.4.1.49 255.255.255.0

It also includes the outside NAT subnet, which does not make any sense.

Which subnets do you want to have translated ?

callen15 · ‎01-26-2022

I'm trying to get the 192.168.10.0/24 subnet translated to 10.4.20.253. (Is working as of now)

VLAN 2 (10.4.1.0/24) is the native that trunks the VLANS and I'm attempting to give the switch a management IP from that pool via DHCP.

Georg Pauwen · ‎01-26-2022

Hello,

understood. Change your access list to contain just this one line:

access-list 1 permit 192.168.10.0 0.0.0.255

callen15 · ‎01-26-2022

Ok, went ahead and made this changes and everything's working correctly with the exception of my switch obtaining an IP from VLAN 2. Any idea on what changes need to be made?

Georg Pauwen · ‎01-26-2022

Hello,

I am not sure I understand what you mean:

--> with the exception of my switch obtaining an IP from VLAN 2

Your Vlan 2 interface currently looks like this:

interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2 native
ip address 10.4.1.49 255.255.255.0

What is not working ?

callen15 · ‎01-26-2022

I'm sorry, I should have been more clear.

G0/0/0.2 is connected to my SW 2 trunk port. G0/0/1.2 is connected to my SW 3 trunk port. I'm trying to give SW3 an IP from 10.4.1.0/24

Georg Pauwen · ‎01-26-2022

Hello,

what IP address does the switch have now ? And what is configured as the default gateway on switch 3 ?

callen15 · ‎01-26-2022

SW3 has no management IP at the moment. SW2 has a management IP of 10.4.1.104. DHCP is configured to give out leases/default gateway info on VLAN2 (10.4.1.0/24) range.