Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
2
Replies

Local DNS with NAT NVI Failing

bakersdozen1
Level 1
Level 1

‎04-14-2014 09:45 AM - edited ‎03-04-2019 10:47 PM

I'm having an issue with my cisco 1921 router not forwarding DNS requests to our local DNS server. I recently set up NAT NVI and after doing so DNS is no longer being passed between the few VLANS that are in place.

The DNS server for this domain is located at 192.168.1.20 (VLAN1). Client machines are configured to talk to this local DNS via DHCP that are on the 192.168.2.X (VLAN2) subnet. 

Currently all DNS requests are only working for machines that are within the VLAN 1 (192.168.1.X). For a machine that is on a different VLAN all DNS queries are failing.

I believe this is an issue with the current routing table but am not sure. My client machine on VLAN2 (ip 192.168.2.100) can successfully communicate (ping, SSH) with the DNS server, but local DNS queries are not making it across the router. I can configure a machine to use my ISPs DNS (68.105.28.11) and it can access the internet successfully, but any local hostname lookups fail.

I tried running some debug on the router to track down the issue but was getting flooded with NAT NVI translations making it fairly difficult to troubleshoot this. I still trying to get smart on the debug features.

 

My current configuration is as follows:

Current configuration : 2044 bytes
!
! Last configuration change at 03:05:26 UTC Mon Apr 7 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN2
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 dns-server 192.168.1.20 68.105.28.11 68.105.29.12 
 domain-name mydomain.com
!
!
!
ip name-server 192.168.1.20
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 11.22.33.215 255.255.255.240
 ip nat enable
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 ip nat enable
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1
 ip address 192.168.1.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3 native
 ip address 192.168.3.1 255.255.255.0
 ip nat enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload

ip nat source static tcp 192.168.1.20 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.1.4 443 interface GigabitEthernet0/0 443 
ip nat source static tcp 192.168.1.25 80 interface GigabitEthernet0/0 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 11.22.33.209
!
access-list 1 permit 192.168.0.0 0.0.3.255
dialer-list 1 protocol ip permit

 

Any comments or tips in this matter would be greatly appreciated!

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎04-14-2014 02:58 PM

Helllo

apply

Ip domain -lookup

 

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

bakersdozen1
Level 1
Level 1
In response to paul driver

‎04-15-2014 02:43 PM

I enabled ip domain-lookup and that did not seem to make any difference. I did some further investigation and VLAN1 is acting as a DMZ with the servers residing there. For all other VLANS when you try to hit VLAN 1 it goes through Outside -> Inside port translation. I would like to have inter VLAN communication maintain their private IPs if at all possible.

Using tcpdump on the DNS server (192.168.1.20) I am am seeing ping requests from VLAN 2 be translated to global IP address instead of the private 192.168.2.X. Sample tcpdump output:

ethertype IPv4 (0x0800), length 74: 11.22.33.215 > 192.168.1.20: ICMP echo request, id 1, seq 64, length 40
ethertype IPv4 (0x0800), length 74: 192.168.1.20 > 11.22.33.215: ICMP echo reply, id 1, seq 64, length 40

 

Here is the output from show ip route if this helps with tracking this issue down:

Gateway of last resort is 11.22.33.209 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 11.22.33.209, GigabitEthernet0/0
      11.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        11.22.33.208/28 is directly connected, GigabitEthernet0/0
L        11.22.33.215/32 is directly connected, GigabitEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/1.1
L        192.168.1.1/32 is directly connected, GigabitEthernet0/1.1
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet0/1.2
L        192.168.2.1/32 is directly connected, GigabitEthernet0/1.2
      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.3.0/24 is directly connected, GigabitEthernet0/1.3
L        192.168.3.1/32 is directly connected, GigabitEthernet0/1.3

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card