01-31-2013 06:24 PM - edited 03-07-2019 11:26 AM
Hi everyone,
Okay, to start this is most likely a security feature of Cisco or any other enterprise grade router.
(We can potentially do this via our internal DNS server - but we wont because we host a cpanel and adding all the zones and removing to our internal DNS is something that we didnt have to do previously so this is out of the question for my manager)
So the scenario:
before our company had a cisco 2901 they had a billion... something.
if they wanted to lookup a server via its FQDN public address it would resolve
ie on my computer in the lan if I were to ping server1.ourdomain.com
it would lookup
and if i were to lookup server1.ourdomain.local
it would lookup.
now since the implementation of the cisco
server1.ourdomain.com
cannot be looked up within the lan, only externally.
I understand this is a feature designed to prevent a loop and spoofing attacks, but I have been instructed to turn it off. Ideas?
I can get the cisco config but it will not help because it is enabled by default on all cisco routers - I confirmed this at home last night and at another clients.
Any help would be greatly appreciated Check my picture if you dont get the scenario
01-31-2013 06:42 PM
Here's the config if it helps - public Ips removed
!
! Last configuration change at 17:03:00 UTC Wed Sep 19 2012 by empowerit
! NVRAM config last updated at 17:04:38 UTC Wed Sep 19 2012 by empowerit
! NVRAM config last updated at 17:04:38 UTC Wed Sep 19 2012 by empowerit
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname eits-gw
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login userauthen local
aaa authorization network eitsgroup local
!
!
!
!
!
aaa session-id common
!
clock timezone UTC 10 0
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip flow-cache timeout active 1
no ip bootp server
ip domain name mycompanydomain.com.au
ip name-server
ip inspect name firewall h323
ip inspect name firewall icmp
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
login block-for 300 attempts 3 within 600
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3646940247
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3646940247
revocation-check none
rsakeypair TP-self-signed-3646940247
!
!
crypto pki certificate chain TP-self-signed-3646940247
certificate self-signed 01
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363436 39343032 3437301E 170D3131 31313232 30383039
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343639
34303234 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B506 96621D97 8D2DA91E C39D1D8F 264E6174 FF46259C 9231F3E9 5BF3606A
3FACC6A1 795EDA2E AC09B95A FAA995F6 B21C5DA6 54A4F559 C0B415DC C50084EC
41DBABD7 63ECE42A 5F782D9B 94BC6902 47B5EE6C 3ABED06E BA1A5C91 D7401A65
3EB7FA55 013E2ABC 3DE6EB65 986B83ED BB2C24E8 F350334E CA1ED250 C64BEEB1
CEA50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147283A3 13C45B47 9B30C813 72D30EEA D5C464FD 1B301D06
03551D0E 04160414 7283A313 C45B479B 30C81372 D30EEAD5 C464FD1B 300D0609
2A864886 F70D0101 05050003 81810086 A1BC0ED8 4CEEEC50 DB3C0BAE 00740586
A950A143 A16DF779 E97B949C 3D5C16AB 20E11785 CEE38F0F F2F9BE4C AE2EB47F
B6B55711 8FE6F92A A30E111F 95E32F0F DA568293 056C7B13 BC98C19F C7B209DB
C0D0B94D 372A0EB1 DE799D7D 2344EC08 90DEEAC6 8783E71D FCEAC28C E396F06A
9ED948C2 44AFC806 7B573244 47F15B
quit
license udi pid CISCO2901/K9 sn
!
!
username eitsvpn password 7 xxxx
username empowerit secret 5 xxx
!
redundancy
!
!
!
!
!
class-map match-any cm-iptel-out
match access-group name al-iptel-out
match protocol rtp audio
class-map match-any cm-management-out
match access-group name al-rdp-out
match protocol telnet
!
!
policy-map pm-qos-eits-exetel-out
description QoS policy map for exetel service
class cm-iptel-out
priority 15
class cm-management-out
bandwidth percent 15
class class-default
fair-queue
random-detect
policy-map pm-qos-eits-exetel-shaping-out
description QoS policy map for shaped exetel service
class class-default
shape average 17000000 170000
service-policy pm-qos-eits-exetel-out
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 4
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address xxxx
crypto isakmp key xxxx address xxxx no-xauth
!
!
crypto ipsec transform-set superset esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set eitsvpn esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set myset2 ah-md5-hmac esp-3des esp-md5-hmac
crypto ipsec transform-set superset-sps esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile supprofile
set transform-set superset
!
crypto ipsec profile uap-profile
set transform-set superset
!
!
crypto map ivolve-vpn 10 ipsec-isakmp
set peer xxxx
set transform-set 3DES-MD5
set pfs group5
match address intervolve-traffic
!
!
!
!
!
interface Loopback100
description 3CX Public IP
ip address xxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback110
description DRAYTEKWAPGUEST
ip address 2xxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback154
no ip address
!
interface Loopback201
description UAP Public IP
ip address xxx6 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback202
description Maincom Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback203
description WA-JMS Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback204
description MainTrade Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback205
description cPanel Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback205002
description cPanel02 Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback205003
description cPanel03 Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback205004
description cPanel04 Public IP
no ip address
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Loopback205005
description cPanel05 Public IP
ip address xxxx 255.255.255.255
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
!
interface Tunnel201
ip address 172.16.201.1 255.255.255.252
ip mtu 1462
ip nbar protocol-discovery
tunnel source Loopback201
tunnel mode ipsec ipv4
tunnel destination xxxx
tunnel protection ipsec profile uap-profile
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Exetel
bandwidth 20000
ip address xxxx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
crypto map ivolve-vpn
service-policy output pm-qos-eits-exetel-shaping-out
!
interface GigabitEthernet0/1
description LAN
no ip address
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0/1.3
description eits-lan
encapsulation dot1Q 3
ip address 10.10.20.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
no ip virtual-reassembly in
!
interface GigabitEthernet0/1.100
description 3cx-lan
encapsulation dot1Q 100
ip address 10.10.100.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.110
description DRAYTEKWAPGUEST
encapsulation dot1Q 110
ip address 10.10.110.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.201
description UAP
encapsulation dot1Q 201
ip address 10.99.201.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.202
description MaincomTest
encapsulation dot1Q 202
ip address 10.99.202.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.203
description WA-JMS
encapsulation dot1Q 203
ip address 10.99.203.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.204
description Maintrade
encapsulation dot1Q 204
ip address 10.99.204.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.205
description cPanel
encapsulation dot1Q 205
ip address 10.99.205.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface ATM0/0/0
description iiNet
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
load-interval 30
no atm ilmi-keepalive
dsl operating-mode adsl2+
dsl enable-training-log
!
interface ATM0/0/0.35 point-to-point
ip flow ingress
pvc 8/35
tx-ring-limit 3
pppoe-client dial-pool-number 1
!
!
interface Dialer1
bandwidth inherit
ip address negotiated
ip access-group outside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1440
load-interval 30
dialer pool 1
dialer load-threshold 1 either
dialer-group 1
ppp authentication pap callin
ppp chap hostname impowa
ppp chap password
ppp pap sent-username
no cdp enable
!
ip local pool ippool xxxx
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export destination 10.99.201.150 9996
!
ip dns server
ip nat pool RTP_3CX 10.10.100.1 10.10.100.1 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 10.99.201.1 3389 interface Loopback201 3390
ip nat inside source static tcp 10.99.201.2 3389 interface Loopback201 3391
ip nat inside source static tcp 10.99.201.3 3389 interface Loopback201 3389
ip nat inside source static tcp 10.99.201.2 443 interface Loopback201 443
ip nat inside source static tcp 10.99.201.2 110 interface Loopback201 110
ip nat inside source static tcp 10.99.201.2 143 interface Loopback201 143
ip nat inside source list DRAYTEKWAPGUEST interface Loopback110 overload
ip nat inside source list WA-JMS interface Loopback203 overload
ip nat inside source list cPanel interface Loopback205 overload
ip nat inside source list cPanel02 interface Loopback205002 overload
ip nat inside source list cPanel03 interface Loopback205003 overload
ip nat inside source list cPanel04 interface Loopback205004 overload
ip nat inside source list cPanel05 interface Loopback205005 overload
ip nat inside source list eits interface GigabitEthernet0/0 overload
ip nat inside source list maincom interface Loopback202 overload
ip nat inside source list maintrade interface Loopback204 overload
ip nat inside source list newmail interface Loopback154 overload
ip nat inside source list uap interface Loopback201 overload
ip nat inside source static tcp 10.99.201.2 25 interface Loopback201 25
ip nat inside source static tcp 10.99.201.2 1723 interface Loopback201 1723
ip nat inside source static tcp 10.99.202.1 3389 interface Loopback202 3389
ip nat inside source static tcp 10.99.202.1 80 interface Loopback202 80
ip nat inside source static tcp 10.99.202.2 5060 interface Loopback202 5060
ip nat inside source static tcp 10.99.202.2 5061 interface Loopback202 5061
ip nat inside source static tcp 10.99.202.2 16384 interface Loopback202 16384
ip nat inside source list voice interface Loopback100 overload
ip nat inside source static tcp 10.10.100.1 5060 interface Loopback100 5060
ip nat inside source static udp 10.10.100.1 5060 interface Loopback100 5060
ip nat inside source static tcp 10.10.100.1 5090 interface Loopback100 5090
ip nat inside source static tcp 10.99.201.10 80 interface Loopback201 80
ip nat inside source static tcp 10.99.203.1 3389 interface Loopback203 3389
ip nat inside source static tcp 10.99.204.1 3389 interface Loopback204 3389
ip nat inside source static tcp 10.99.204.1 80 interface Loopback204 80
ip nat inside source static tcp 10.99.204.1 443 interface Loopback204 443
ip nat inside source static tcp 10.10.20.8 3389 interface GigabitEthernet0/1 8085
ip nat inside source static tcp 10.99.201.15 3389 interface Loopback201 4000
ip nat inside source static tcp 10.99.201.4 3389 interface Loopback201 5000
NAT RULES WITH PUBLIC IPS... removed
ip nat inside destination list 100 pool RTP_3CX
ip route 0.0.0.0 0.0.0.0 xxxx
ip route 192.168.1.0 255.255.255.0 172.16.201.2
!
ip access-list extended DRAYTEKWAPGUEST
permit ip 10.10.110.0 0.0.0.255 any
ip access-list extended WA-JMS
permit ip 10.99.203.0 0.0.0.255 any
ip access-list extended al-iptel-out
remark SIP/RDP traffic
permit tcp any any range 5060 5062
permit udp any any range 16384 16896
permit ip any any
ip access-list extended al-rdp-out
remark RDP Traffic
permit tcp any gt 1023 any range 3389 3399
permit tcp any range 3389 3399 any gt 1023
ip access-list extended allowanything
permit ip any any
ip access-list extended aoe
permit ip 10.10.21.0 0.0.0.255 any
ip access-list extended cPanel
permit ip 10.99.205.0 0.0.0.255 any
ip access-list extended eits
deny ip any 10.10.50.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 any
ip access-list extended eitsmgmt
permit ip 10.10.20.0 0.0.0.255 any
deny ip any any log
ip access-list extended exetelsip
permit ip host 58.96.1.2 any
permit ip any host 58.96.1.2
ip access-list extended intervolve-traffic
permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
ip access-list extended maincom
permit ip 10.99.202.0 0.0.0.255 any
ip access-list extended maintrade
permit ip 10.99.204.0 0.0.0.255 any
ip access-list extended newmail
permit ip host 10.10.20.4 any
ip access-list extended sps-traffic
permit ip 10.99.201.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended uap
permit ip 10.99.201.0 0.0.0.255 any
ip access-list extended uap-access
deny ip any 10.0.0.0 0.255.255.255 log
permit ip any any
ip access-list extended voice
permit ip 10.10.100.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 50 permit 10.10.20.0 0.0.0.255
access-list 110 permit gre any host 203.173.37.174
!
!
!
!
!
snmp-server community kB5d72vG136 RO
snmp-server community -=Bu773R=- RO 50
snmp-server ifindex persist
snmp-server
snmp-server
snmp-server chassis-id eits-gw
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 2 protocol ieee
!
banner exec
*********************************************************
* [WARNING] *
* If you are not authorised to access this system *
* exit immediately. *
* Unauthorised access to this system is forbidden by *
* company policies, national, and international laws. *
* Unauthorised users are subject to criminal and civil *
* penalties as well as company initiated disciplinary *
* proceedings. *
* *
* By entry into this system you acknowledge that you *
* are authorised to access it and have the level of *
* privilege at which you subsequently operate on *
* this system *
* You consent by entry into this system to the *
* monitoring of your activities *
*********************************************************
!
line con 0
exec-timeout 5 0
password 7
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class eitsmgmt in
privilege level 15
password 7
login authentication local_auth
transport input telnet ssh
transport output ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 211.29.132.140
ntp server 220.233.0.50 prefer
end
01-31-2013 06:42 PM
You need to have the clients on your LAN point to an internal dns server that resolves server.publicdomain.com to the internal address.
Sent from Cisco Technical Support iPad App
01-31-2013 06:47 PM
My Manager does not want this performed this way as all the websites that we host on a CPanel server would all have to be added manually and if they move or leave hosting from us it will create alot of overhead.
This should be possible I am sure there is a command that can be disabled on the cisco router to allow for this because other cheap routers from other brands have this disabled by default.. and cisco is awesome so there should be a command that allows for this - I am sure its a security command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide