Publish DNS on 2 Interfaces

Chris Coho · ‎09-14-2012

I recently replaced my MS ISA server with a Cisco 2921 as my gateway / firewall. I have it working fine with a single internet connection, dns, et al are set up in NAT and work great. I also have a secondary internet connection that I now want to set up. I set it up on the gigabitethernet0/2 interface and the first thing i attempted was to NAT dns requests across it so it can be set up as a backup for DNS queries, but dns queries to that IP from outside are failing.

What additional configuration do I need to make this work?

Here is some selected info from my config (with IP addresses changed):

!

interface GigabitEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address 100.100.100.100 255.255.255.0

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

media-type rj45

crypto map SDM_CMAP_2

!

interface GigabitEthernet0/2

description $FW_OUTSIDE$$ETH-WAN$

ip address 200.200.200.200 255.255.255.248

ip nbar protocol-discovery

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.10.1.30 53 200.200.200.200 53 route-map USR_RMAT_NAT extendable

ip nat inside source static udp 10.10.1.30 53 200.200.200.200 53 route-map USR_RMAT_NAT extendable

ip nat inside source static tcp 10.10.1.30 53 100.100.100.100 53 route-map USR_RMAT_NAT extendable

ip nat inside source static udp 10.10.1.30 53 100.100.100.100 53 route-map USR_RMAT_NAT extendable

If I do an NSLookup from outside to 100.100.100.100 the query works fine, if i do it to 200.200.200.200 it does not. What do I have wrong?

davidkirchner · ‎09-14-2012

I also have the Cisco 2921 and 2951. Both are set with a pair of connections to internet. These routers are my gateway to the internet at 2 different location. In my settings, the 2 router ports only work one at a time. When port to ISP1 is up port to ISP2 is dead. I have the following rules that when track 101 is down then use backup.

ip route 0.0.0.0 0.0.0.0 100.100.100.100 track 101

ip route 0.0.0.0 0.0.0.0 200.200.200.200 20

The trick is that when track 101 is back, how do you test without using port 1, because port 1 is dead!

OR

ip route 0.0.0.0 0.0.0.0 100.100.100.100 10

ip route 0.0.0.0 0.0.0.0 200.200.200.200 20

now port2 will default to backup of port1 without tracking

Neither of these rules will help you use your 2 ISP at same time thou. I am testing with the command:

ping ip 8.8.8.8 source F0/0/0 or F0/0/1 - Does this work for you?

I am visiting this community just now to see if anyone has a way to use both ports at same time.

Chris Coho · ‎09-17-2012

Thank you for your response. I will put a backup route in for port2, as you say it isn't exactly what I'm looking for, but it is closer. Do I need to do anything with NAT for that to work as a backup?

As to the pings, I am able to ping successfully from both ports.

davidkirchner · ‎09-17-2012

I am not Cisco trained.

Great that you can ping thru both out ports. Your configuration is not killing that second ISP port.

My NAT port forwarding command is different than yours.

(ip nat inside source static tcp 192.168.1.13 6600 interface FastEthernet0/0/0 6600) Then I have a routemap (natmap)that checks the access-list (111) . This might be the configuration change you need. I cannot test dual live ports yet.

I can tell you what my configuration is.

interface GigabitEthernet0/0: ip nat inside

interface FastEthernet0/0/0: ip nat outside

interface FastEthernet0/0/1: ip nat outside

ip nat pool NATinside 192.168.1.1 192.168.1.254 netmask 255.255.255.0

ip nat inside source static udp 192.168.1.13 5060 interface FastEthernet0/0/0 5060 -Port forward

ip nat inside source static tcp 192.168.1.13 6600 interface FastEthernet0/0/0 6600 -Port forward

ip nat inside source route-map natmap interface FastEthernet0/0/0 overload

ip nat inside source route-map natmap2 interface FastEthernet0/0/1 overload

ip route 0.0.0.0 0.0.0.0 100.100.100.100 track 101

ip route 0.0.0.0 0.0.0.0 200.200.200.200 20

ip access-list standard NATinside

permit 192.168.1.0 0.0.0.255

access-list 111 deny udp any host 192.168.1.13 range 5060 5066

access-list 111 deny tcp any host 192.168.1.13 eq 6600

access-list 111 permit ip192.168.1.0 0.0.0.255 any

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

route-map natmap permit 10

match ip address 111

match interface FastEthernet0/0/0

!

route-map natmap2 permit 10

match ip address 199

match interface FastEthernet0/0/1

I hope a trained Cisco will answer here. One thing I am concerened about is I cannot find a gateway statement in my configuration, but with 'show ip route' I get a 'Gateway of last resort is 100.100.100.100 to network 0.0.0.0'

Is this why my second port F0/0/1 is dead?

I can see others can use Policy Based Routing (PBR), like they have mutiple usable ports out.