DNS Problem with Intervlan & Edge Router

systemaxit · ‎12-10-2012

Hi Guys,

I have a cisco 2851 router as the edge router, I have a 3750G and a 3560G switch and configured intervlan routing with four vlans, also connected to the switches a four servers and one has active directory and a dns server.

i am able to ping from all te servers fine from different vlans and the servers are able to ping the edge router. the problem I am having is with DNS, in the edge router i have configured the isp's dns server address in ip name-server and i am able to reach the outside world.

the problem im having is the servers are not able to reach the outside, do i need to do something in the edge router to forward it to the 3750g or do i have to add my isp's dns servers on the 3750g with ip name-server.

any help would be great

thanks,

Collin Clark · ‎12-10-2012

Configuring the DNS services in a router or switch is only local to that device. It does not forward or proxy DNS requests. Here is what most organizations do; on the server that handles internal DNS for your clients, add your ISP's DNS records as 'forwarders'. In your DHCP scope you should have your internal DNS server(s) as the DNS server. When a user queries a name local to your network, your DNS will resolve and send it back to the client. When a client asks for a name that is outside of your network, your internal DNS server will ask the ISP's DNS server on behalf of your client. I hope that makes sense!

johnlloyd_13 · ‎12-10-2012

Hi,

Do you have NAT enabled on the edge router?

Kindly post a network diagram and show run of your devices (hide sensitive info).

Sent from Cisco Technical Support iPhone App

systemaxit · ‎12-10-2012

Thanks for the quick reply guys,

I have pasted the running config below and removed private info,

Collin what you suggested is the same setup that is in place, i have added the isp dns details in the internal DNS servers as forwarders.

please let me know if the is anythin wrong with the running config.

thanks,

R1#sh running-config
Building configuration...

Current configuration : 4703 bytes
!
! Last configuration change at 06:32:01 UTC Tue Dec 11 2012 by XXXXXXXXXXX
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name yourdomain.com
ip name-server X.X.X.X
ip name-server X.X.X.X
no ipv6 cef
!
multilink bundle-name authenticated
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address X.X.X.X 255.255.255.0
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXX@XXXXX.XXXXX.net
ppp chap password 0 XXXXXX
ppp pap sent-username XXXXX@XXXXXX.XXXXXXX.net password 0 XXXXX
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 10.10.10.2
ip route 172.XX.20.0 255.255.255.0 10.10.10.2
ip route 172.XX.30.0 255.255.255.0 10.10.10.2
ip route 192.XX.1.0 255.255.255.0 10.10.10.2
!
access-list 1 permit 10.10.10.0 0.0.0.3
!
!
control-plane
!
!
mgcp profile default
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!

johnlloyd_13 · ‎12-10-2012

could you re-configure ACL 1 to permit 10.10.10.0 0.0.0.255? aside from that, i don't see any problem on your router config.

is there a firewall somewhere in your LAN environment? how about posting or describing your network topology, switch configs and an ipconfig /all output from one of your server?

Mitchell Dyer · ‎12-10-2012

You need to add the subnet (s) in which the internal servers reside to the NAT ACL.

As its configured only addresses in the /30 will be NATd to the Dialer0 interface.

For example, if the servers reside in the 172.32.16.0/24 subnet add:

access-list 1 permit 172.32.16.0 0.0.0.255

Sent from Cisco Technical Support iPhone App