cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
15
Helpful
10
Replies
chuang123
Beginner

router can't resolve dns after enable ios firewall

hi all,

my 1841 router can't resolve dns after enable ios firewall, I try to ping google.com from router's console fail, but dns resolution is fine from lan side.

what could be the cause?

my partial config---------------------------------

!

ip name-server 8.8.8.8

ip inspect name myfirewall tcp

ip inspect name myfirewall udp

ip inspect name myfirewall ftp

ip inspect name myfirewall icmp

ip inspect name myfirewall bootpc

ip inspect name myfirewall bootps

ip inspect name myfirewall dns

!

!

interface FastEthernet0/0

ip address 172.16.1.2 255.255.255.0

ip access-group 103 in

ip nat outside

ip inspect myfirewall out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.2.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 10.2.1.0 0.0.0.255

access-list 101 permit udp any any eq bootpc

access-list 102 permit ip 10.2.1.0 0.0.0.255 any

access-list 102 permit ip host 172.16.1.2 any

access-list 103 permit tcp any any eq telnet

access-list 103 permit tcp any any eq 22

access-list 103 permit tcp any any eq www

access-list 103 permit tcp any any eq ftp

access-list 103 permit icmp any any

access-list 103 deny   ip any any

!


1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

this feature appeared in 12.3(T) so it should be ok for you , can you try it in  your ip inspect myfirewall udp statement.

There is also another way of achieving this:http://blog.ine.com/tag/pbr/

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

10 REPLIES 10
cadet alain
Advisor

Hi,

if your IOS support this command , you can do this:

ip inspect name myfirewall dns router-traffic

otherwise you'll have to permit DNS replies in your ACL 103.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

hi,

my IOS is

(C1841-ADVENTERPRISEK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)

it seems doesn't support this command: router-traffic

do you know which version support this command?  appreciated for your help.

btw, if I permit DNS in ACL 103, will this to be protential DNS attack? I used to be blacklist by my ISP because they indicate that my IP is flooding DNS packet in their network.

Hi,

this feature appeared in 12.3(T) so it should be ok for you , can you try it in  your ip inspect myfirewall udp statement.

There is also another way of achieving this:http://blog.ine.com/tag/pbr/

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

thanks Alain!!

I have confirmed both solution works perfect!! thanks for solving my issue!!

Aref Alsouqi
VIP Rising star

Did you try to ping sourcing from the router's inside int?

Sent from Cisco Technical Support iPhone App

hi, you cannot specify a source from lan interface when ping to a domain name. (I just tested, it only work with ip)

for example:

ping 8.8.8.8 source 10.2.1.1 <--- this is ok

ping yahoo.com source  <---- this sub command source will not work

Aref Alsouqi
VIP Rising star

So are you able to ping 8.8.8.8 from the router's outside int? Or you have same issue with domain name?

Sent from Cisco Technical Support iPhone App

Hi,

The problem was that CBAC wasn't inspecting traffic generated by the router and so there are 3 solutions:

1) use the router-traffic keyword in the ip inspect command

2) trick the router to make it see this traffic as transit traffic by using local PBR

3) add a permit statement for the return traffic in the ACL applied inbound on the WAN interface

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Great answers Alain. Thank you man.

paul driver
VIP Mentor

@ alain
i have rated this mate nice to know this little gem - are you able to clarify if this router-traffic command is basically a control.plane function for cbac

res
paul

Sent from Cisco Technical Support Android App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future