03-16-2014 04:54 PM - edited 03-07-2019 06:43 PM
Hello,
My workstation can resolve domain name, but my router cannot I receive the following:
Router#ping www.google.com
Translating "www.google.com"...domain server (8.8.8.8) (8.8.4.4) (75.75.76.76) (75.75.75.75)
% Unrecognized host or address, or protocol not running.
This is my router:
Router#sh run
Building configuration...
Current configuration : 4298 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.200 192.168.0.255
!
ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease 0 1
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name IPFW tcp
ip inspect name IPFW udp
ip inspect name IPFW cuseeme
ip inspect name IPFW ftp
ip inspect name IPFW tftp
ip inspect name IPFW rcmd
ip inspect name IPFW realaudio
ip inspect name IPFW smtp
ip inspect name IPFW h323
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Ethernet0
description LAN switch ports on inside interface
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
!
interface Ethernet1
description WAN interface to ISP using DHCP
ip ddns update hostname onlize.homeip.net
ip ddns update dyndns
ip address dhcp client-id Ethernet1
ip access-group IPFW-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect IPFW out
ip virtual-reassembly
duplex auto
no cdp enable
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 23 interface Ethernet1 overload
ip nat inside source list 100 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.5 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.0.5 32400 interface Ethernet1 32400
ip nat inside source static udp 192.168.0.5 32400 interface Ethernet1 32400
!
!
ip access-list extended IPFW-ACL
remark NTP Server Access
permit udp any any eq ntp
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any eq 3389
permit tcp any any eq 32400
permit udp any any eq 32400
deny ip any any
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
control-plane
!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
ntp logging
ntp clock-period 17179872
ntp server 204.2.134.163
ntp server 173.8.148.157
ntp server 15.185.186.215
ntp server 64.6.144.6
ntp server 198.110.48.12
ntp server 208.75.89.4
ntp server 198.55.111.50
ntp server 72.43.42.21
end
Router#
If I remove "ip access-group IPFW-ACL in" from my WAN interface, everything works. What am I missing here? What else should I add to my firewall?
Thank you.
03-17-2014 03:24 PM
Hi,
Try adding the follwing line to your access list
permit udp any any eq domain
permit tcp any any eq domain
Hope this helps.
Regards
Alex
03-18-2014 11:46 AM
Thank you for your reply. I tried it, but it does not work.
Any other ideas?
03-18-2014 01:49 AM
Hello
ip access-list extended IPFW-ACL
12 permit UDP any any eq 53
Interface ethernet1
No ip inspect IPFW out
access-list 101 permit 192.168.0.0 0.0.0.255 any
Interface Ethernet 0
Ip access-group 101 in
ip inspect IPFW in
Res
Paul
03-18-2014 11:47 AM
Thank you for your reply.
Interesting suggestion, but it means that I will protect internal interface, but external interface will not be protected. I do not think it is such a good idea.
Any other suggestions?
By the way, what is that number 12 in front of permit UDP? Can you please explain?
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide