Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3018
Views
0
Helpful
5
Replies

DNS server behind NAT router is inaccesible

marelecnv
Level 1
Level 1

‎07-09-2006 10:49 PM - edited ‎03-03-2019 01:17 PM

Dear,

We have a 837 ADSL router, but are unable to make our DNS server accesible from the outside

we have following NAT static entry:

ip nat inside source static udp 192.168.0.253 53 213.49.131.61 53 extendable

All query's reach our server as expected, but the answer does not get back. (If our DNS server, and the PC sending the query both use a port other port than 53, and we change the NAT entry to map port 53 to an other local port it works OK)

Full configuration in attachment?

Can anyone please help me out?

Is there a secial command to allow DNS-replies to pass to the router ?

Labels:
Preview file
5 KB
0 Helpful
5 Replies 5

attrgautam
Level 5
Level 5

‎07-10-2006 02:46 AM

Without a look at your config, did you try giving TCP 53 translation as well ?

0 Helpful

marelecnv
Level 1
Level 1
In response to attrgautam

‎07-10-2006 03:16 AM

Yes,

both UDP and TCP port 53 are translated (and port 53 TCP works fine, 53 UDP not)

ip nat inside source static tcp 192.168.0.253 53 213.49.131.61 53 extendable

ip nat inside source static udp 192.168.0.253 53 213.49.131.61 53 extendable

I've done some more investigation, and I found out that the query is NAT-ed correctly, but the answer is not NAT-ed.

So the source address of the answer remains 192.168.0.253, and is then blocked by the following lines in the access-list

access-list 112 permit ip host 213.49.131.61 any

access-list 112 deny ip any any

(this has been discovered by enableing logging for this last line)

Any idea's why data from UDP port 53 or to udp port 53 is not NAT-ed?

0 Helpful

globalnettech
Level 5
Level 5
In response to marelecnv

‎07-10-2006 03:44 AM

Hello,

you actually only need UDP port 53 for DNS to be translated. Does this work when you take the access list off the interface alltogether ? If the access list is a requirement, try and change it to:

access-list 112 permit ip host 213.49.131.61 any

access-list 112 permit ip any host 213.49.131.61

access-list 112 deny ip any any

Regards,

GNT

0 Helpful

marelecnv
Level 1
Level 1
In response to globalnettech

‎07-10-2006 04:13 AM

i've changed the access-list to

access-list 112 permit ip any any

but it still doesn't work. (as I expected as packets with a source address of 192.168.0.253 are unroutable through the internet as this is a reserved address)

The problem is with the NAT. Why are the DNS respones not NAT-ed?

0 Helpful

marelecnv
Level 1
Level 1
In response to marelecnv

‎07-13-2006 06:59 AM

Problem solved

There has to be a 1-1 NAT rule in the configuration:

ip nat inside source static 192.168.0.253 213.49.131.61

Only forwarding port 53 UDP and TCP doesn't work.

AND

The DNS server must be configured to supply A records with the local IP address, not the global IP address, otherwise the DNS response does not pass through the router!!! (surprise, surprise) The router translates the ip addresses inside the DNS respones.

It took a long time to find this out, but now everything works OK.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card