I have two internet connections. I put comcast into its own vrf. ATT is in global routing table. I use PBR to route some traffic to comcast and some to ATT. Everything works, BUT DNS queries which are send to comcast VRF. All the traffic through VRF works (TCP, UDP, ICMP) but I can't push dns through it.
I use 184.108.40.206 and 220.127.116.11 ans DNS.
When I created local DNS server which uses ATT - global routing path. It works.
SHORT: DNS queries do not go through VRF.
Solved! Go to Solution.
I found the problem, but I have no idea how to solve it.
DNS queries from subnet 192.168.10.0/24 do not get nat it.
All other packets from the subnet 192.168.10.0./24 do get nat it.
I have no idea why NAT does not work for DNS query packets. From the client I can ping DNS server without problem, but when I do sniifertrace I do see that DNS query passes with NAT.
Could you clarify some points please ?
When you said everything is working, you said, from both inside interface ? gi0/1 and gi0/2?
According to the configuration, you have 192.168.10.0 nated from gi0/1, where it is located ? from another core connected and routed through OSPF ?
From which source network are you trying? 192.168.10.0/24 ?
On Gi0/2 you are sending all internet trafic to 192.168.11.254, is that correct?
Note :Don't know if you wanna match RFC1918 networks in your ACL PBR, but this line is incorrect :
deny ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.255.255
should be :
deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.15.255.255
yes I send all traffic from gig0/2 to 192.168.11.254 NO ISSUE HERE.
2 subnets coming from gig 0/1
192.168.200.0/24 should go out int fast 0/0/3 (VLAN 50) and it goes NO ISSUE HERE
192.168.10.0/24 should go out int gig 0/0. I am doing sniffer between int gig 0/0 and comcast router. I can see that all packets from 192.168.10.0/24 do get nat it to IP 18.104.22.168 which is on int gig0/0. BUT DNS query packets do not get nat it.
On the picture both packets(ICMP AND DNS come from the same host)
Can you post the result for
show ip nat translation ?
You can also try a
ip access 100 permit 192.168.10.92 0.0.0.0
debug ip packet 100
on the router, just be sure to put the good acl to match your source ip
It WORKS! THANK YOU
When I deleted the first one
ip nat inside source list nat-deset interface GigabitEthernet0/0 overload. It did not work
I need both and then everything works
Do you have any logical explanation why I need both of them?