cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1753
Views
0
Helpful
3
Replies
Highlighted

FQDN not working internally

Hi everyone,


Okay, to start this is most likely a security feature of Cisco or any other enterprise grade router.


(We can potentially do this via our internal DNS server - but we wont because we host a cpanel and adding all the zones and removing to our internal DNS is something that we didnt have to do previously so this is out of the question for my manager)


So the scenario:

before our company had a cisco 2901 they had a billion... something.

if they wanted to lookup a server via its FQDN public address it would resolve


ie on my computer in the lan if I were to ping server1.ourdomain.com

it would lookup

and if i were to lookup server1.ourdomain.local

it would lookup.


now since the implementation of the cisco

server1.ourdomain.com

cannot be looked up within the lan, only externally.


I understand this is a feature designed to prevent a loop and spoofing attacks, but I have been instructed to turn it off. Ideas?


I can get the cisco config but it will not help because it is enabled by default on all cisco routers - I confirmed this at home last night and at another clients.


Any help would be greatly appreciated  Check my picture if you dont get the scenario

3 REPLIES 3
Highlighted

Here's the config if it helps - public Ips removed

!

! Last configuration change at 17:03:00 UTC Wed Sep 19 2012 by empowerit

! NVRAM config last updated at 17:04:38 UTC Wed Sep 19 2012 by empowerit

! NVRAM config last updated at 17:04:38 UTC Wed Sep 19 2012 by empowerit

version 15.1

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname eits-gw

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 10 log

security passwords min-length 6

logging buffered 4096

logging console critical

enable secret

!

aaa new-model

!

!

aaa authentication login local_auth local

aaa authentication login userauthen local

aaa authorization network eitsgroup local

!

!

!

!

!

aaa session-id common

!

clock timezone UTC 10 0

!

no ipv6 cef

no ip source-route

no ip gratuitous-arps

ip cef

!

!

!

!

!

ip flow-cache timeout active 1

no ip bootp server

ip domain name mycompanydomain.com.au

ip name-server

ip inspect name firewall h323

ip inspect name firewall icmp

ip inspect name firewall netshow

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall rtsp

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tftp

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall vdolive

login block-for 300 attempts 3 within 600

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3646940247

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3646940247

revocation-check none

rsakeypair TP-self-signed-3646940247

!

!

crypto pki certificate chain TP-self-signed-3646940247

certificate self-signed 01

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33363436 39343032 3437301E 170D3131 31313232 30383039

  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343639

  34303234 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B506 96621D97 8D2DA91E C39D1D8F 264E6174 FF46259C 9231F3E9 5BF3606A

  3FACC6A1 795EDA2E AC09B95A FAA995F6 B21C5DA6 54A4F559 C0B415DC C50084EC

  41DBABD7 63ECE42A 5F782D9B 94BC6902 47B5EE6C 3ABED06E BA1A5C91 D7401A65

  3EB7FA55 013E2ABC 3DE6EB65 986B83ED BB2C24E8 F350334E CA1ED250 C64BEEB1

  CEA50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 147283A3 13C45B47 9B30C813 72D30EEA D5C464FD 1B301D06

  03551D0E 04160414 7283A313 C45B479B 30C81372 D30EEAD5 C464FD1B 300D0609

  2A864886 F70D0101 05050003 81810086 A1BC0ED8 4CEEEC50 DB3C0BAE 00740586

  A950A143 A16DF779 E97B949C 3D5C16AB 20E11785 CEE38F0F F2F9BE4C AE2EB47F

  B6B55711 8FE6F92A A30E111F 95E32F0F DA568293 056C7B13 BC98C19F C7B209DB

  C0D0B94D 372A0EB1 DE799D7D 2344EC08 90DEEAC6 8783E71D FCEAC28C E396F06A

  9ED948C2 44AFC806 7B573244 47F15B

            quit

license udi pid CISCO2901/K9 sn

!

!

username eitsvpn password 7 xxxx

username empowerit secret 5 xxx

!

redundancy

!

!

!

!

!

class-map match-any cm-iptel-out

match access-group name al-iptel-out

match protocol rtp audio

class-map match-any cm-management-out

match access-group name al-rdp-out

match protocol telnet

!

!

policy-map pm-qos-eits-exetel-out

description QoS policy map for exetel service

class cm-iptel-out

  priority 15

class cm-management-out

  bandwidth percent 15

class class-default

  fair-queue

  random-detect

policy-map pm-qos-eits-exetel-shaping-out

description QoS policy map for shaped exetel service

class class-default

  shape average 17000000 170000

  service-policy pm-qos-eits-exetel-out

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 5

!

crypto isakmp policy 4

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address xxxx

crypto isakmp key xxxx address xxxx no-xauth

!

!

crypto ipsec transform-set superset esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set eitsvpn esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set myset ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set myset2 ah-md5-hmac esp-3des esp-md5-hmac

crypto ipsec transform-set superset-sps esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile supprofile

set transform-set superset

!

crypto ipsec profile uap-profile

set transform-set superset

!

!

crypto map ivolve-vpn 10 ipsec-isakmp

set peer xxxx

set transform-set 3DES-MD5

set pfs group5

match address intervolve-traffic

!

!

!

!

!

interface Loopback100

description 3CX Public IP

ip address xxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback110

description DRAYTEKWAPGUEST

ip address 2xxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback154

no ip address

!

interface Loopback201

description UAP Public IP

ip address xxx6 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback202

description Maincom Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback203

description WA-JMS Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback204

description MainTrade Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback205

description cPanel Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback205002

description cPanel02 Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback205003

description cPanel03 Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback205004

description cPanel04 Public IP

no ip address

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Loopback205005

description cPanel05 Public IP

ip address xxxx 255.255.255.255

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

!

interface Tunnel201

ip address 172.16.201.1 255.255.255.252

ip mtu 1462

ip nbar protocol-discovery

tunnel source Loopback201

tunnel mode ipsec ipv4

tunnel destination xxxx

tunnel protection ipsec profile uap-profile

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Exetel

bandwidth 20000

ip address xxxx 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

duplex auto

speed auto

crypto map ivolve-vpn

service-policy output pm-qos-eits-exetel-shaping-out

!

interface GigabitEthernet0/1

description LAN

no ip address

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0/1.3

description eits-lan

encapsulation dot1Q 3

ip address 10.10.20.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

no ip virtual-reassembly in

!

interface GigabitEthernet0/1.100

description 3cx-lan

encapsulation dot1Q 100

ip address 10.10.100.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.110

description DRAYTEKWAPGUEST

encapsulation dot1Q 110

ip address 10.10.110.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.201

description UAP

encapsulation dot1Q 201

ip address 10.99.201.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.202

description MaincomTest

encapsulation dot1Q 202

ip address 10.99.202.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.203

description WA-JMS

encapsulation dot1Q 203

ip address 10.99.203.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.204

description Maintrade

encapsulation dot1Q 204

ip address 10.99.204.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.205

description cPanel

encapsulation dot1Q 205

ip address 10.99.205.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface ATM0/0/0

description iiNet

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

load-interval 30

no atm ilmi-keepalive

dsl operating-mode adsl2+

dsl enable-training-log

!

interface ATM0/0/0.35 point-to-point

ip flow ingress

pvc 8/35

  tx-ring-limit 3

  pppoe-client dial-pool-number 1

!

!

interface Dialer1

bandwidth inherit

ip address negotiated

ip access-group outside in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1440

load-interval 30

dialer pool 1

dialer load-threshold 1 either

dialer-group 1

ppp authentication pap callin

ppp chap hostname impowa

ppp chap password

ppp pap sent-username

no cdp enable

!

ip local pool ippool xxxx

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-export source GigabitEthernet0/1

ip flow-export version 9

ip flow-export destination 10.99.201.150 9996

!

ip dns server

ip nat pool RTP_3CX 10.10.100.1 10.10.100.1 netmask 255.255.255.0 type rotary

ip nat inside source static tcp 10.99.201.1 3389 interface Loopback201 3390

ip nat inside source static tcp 10.99.201.2 3389 interface Loopback201 3391

ip nat inside source static tcp 10.99.201.3 3389 interface Loopback201 3389

ip nat inside source static tcp 10.99.201.2 443 interface Loopback201 443

ip nat inside source static tcp 10.99.201.2 110 interface Loopback201 110

ip nat inside source static tcp 10.99.201.2 143 interface Loopback201 143

ip nat inside source list DRAYTEKWAPGUEST interface Loopback110 overload

ip nat inside source list WA-JMS interface Loopback203 overload

ip nat inside source list cPanel interface Loopback205 overload

ip nat inside source list cPanel02 interface Loopback205002 overload

ip nat inside source list cPanel03 interface Loopback205003 overload

ip nat inside source list cPanel04 interface Loopback205004 overload

ip nat inside source list cPanel05 interface Loopback205005 overload

ip nat inside source list eits interface GigabitEthernet0/0 overload

ip nat inside source list maincom interface Loopback202 overload

ip nat inside source list maintrade interface Loopback204 overload

ip nat inside source list newmail interface Loopback154 overload

ip nat inside source list uap interface Loopback201 overload

ip nat inside source static tcp 10.99.201.2 25 interface Loopback201 25

ip nat inside source static tcp 10.99.201.2 1723 interface Loopback201 1723

ip nat inside source static tcp 10.99.202.1 3389 interface Loopback202 3389

ip nat inside source static tcp 10.99.202.1 80 interface Loopback202 80

ip nat inside source static tcp 10.99.202.2 5060 interface Loopback202 5060

ip nat inside source static tcp 10.99.202.2 5061 interface Loopback202 5061

ip nat inside source static tcp 10.99.202.2 16384 interface Loopback202 16384

ip nat inside source list voice interface Loopback100 overload

ip nat inside source static tcp 10.10.100.1 5060 interface Loopback100 5060

ip nat inside source static udp 10.10.100.1 5060 interface Loopback100 5060

ip nat inside source static tcp 10.10.100.1 5090 interface Loopback100 5090

ip nat inside source static tcp 10.99.201.10 80 interface Loopback201 80

ip nat inside source static tcp 10.99.203.1 3389 interface Loopback203 3389

ip nat inside source static tcp 10.99.204.1 3389 interface Loopback204 3389

ip nat inside source static tcp 10.99.204.1 80 interface Loopback204 80

ip nat inside source static tcp 10.99.204.1 443 interface Loopback204 443

ip nat inside source static tcp 10.10.20.8 3389 interface GigabitEthernet0/1 8085

ip nat inside source static tcp 10.99.201.15 3389 interface Loopback201 4000

ip nat inside source static tcp 10.99.201.4 3389 interface Loopback201 5000

NAT RULES WITH PUBLIC IPS... removed

ip nat inside destination list 100 pool RTP_3CX

ip route 0.0.0.0 0.0.0.0 xxxx

ip route 192.168.1.0 255.255.255.0 172.16.201.2

!

ip access-list extended DRAYTEKWAPGUEST

permit ip 10.10.110.0 0.0.0.255 any

ip access-list extended WA-JMS

permit ip 10.99.203.0 0.0.0.255 any

ip access-list extended al-iptel-out

remark SIP/RDP traffic

permit tcp any any range 5060 5062

permit udp any any range 16384 16896

permit ip any any

ip access-list extended al-rdp-out

remark RDP Traffic

permit tcp any gt 1023 any range 3389 3399

permit tcp any range 3389 3399 any gt 1023

ip access-list extended allowanything

permit ip any any

ip access-list extended aoe

permit ip 10.10.21.0 0.0.0.255 any

ip access-list extended cPanel

permit ip 10.99.205.0 0.0.0.255 any

ip access-list extended eits

deny   ip any 10.10.50.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 any

ip access-list extended eitsmgmt

permit ip 10.10.20.0 0.0.0.255 any

deny   ip any any log

ip access-list extended exetelsip

permit ip host 58.96.1.2 any

permit ip any host 58.96.1.2

ip access-list extended intervolve-traffic

permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255

ip access-list extended maincom

permit ip 10.99.202.0 0.0.0.255 any

ip access-list extended maintrade

permit ip 10.99.204.0 0.0.0.255 any

ip access-list extended newmail

permit ip host 10.10.20.4 any

ip access-list extended sps-traffic

permit ip 10.99.201.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended uap

permit ip 10.99.201.0 0.0.0.255 any

ip access-list extended uap-access

deny   ip any 10.0.0.0 0.255.255.255 log

permit ip any any

ip access-list extended voice

permit ip 10.10.100.0 0.0.0.255 any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 50 permit 10.10.20.0 0.0.0.255

access-list 110 permit gre any host 203.173.37.174

!

!

!

!

!

snmp-server community kB5d72vG136 RO

snmp-server community -=Bu773R=- RO 50

snmp-server ifindex persist

snmp-server

snmp-server

snmp-server chassis-id eits-gw

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 2 protocol ieee

!

banner exec 

*********************************************************

* [WARNING]                                             *

* If you are not authorised to access this system       *

* exit immediately.                                     *

* Unauthorised access to this system is forbidden by    *

* company policies, national, and international laws.   *

* Unauthorised users are subject to criminal and civil  *

* penalties as well as company initiated disciplinary   *

* proceedings.                                          *

*                                                       *

* By entry into this system you acknowledge that you    *

* are authorised to access it and have the level of     *

* privilege at which you subsequently operate on        *

* this system                                           *

* You consent by entry into this system to the          *

* monitoring of your activities                         *

*********************************************************

!

line con 0

exec-timeout 5 0

password 7

login authentication local_auth

transport output telnet

line aux 0

login authentication local_auth

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class eitsmgmt in

privilege level 15

password 7

login authentication local_auth

transport input telnet ssh

transport output ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

ntp server 211.29.132.140

ntp server 220.233.0.50 prefer

end

Highlighted
Contributor

You need to have the clients on your LAN point to an internal dns server that resolves server.publicdomain.com to the internal address.

Sent from Cisco Technical Support iPad App

Highlighted

My Manager does not want this performed this way as all the websites that we host on a CPanel server would all have to be added manually and if they move or leave hosting from us it will create alot of overhead.

This should be possible I am sure there is a command that can be disabled on the cisco router to allow for this because other cheap routers from other brands have this disabled by default.. and cisco is awesome so there should be a command that allows for this - I am sure its a security command.

Content for Community-Ad