cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2045
Views
5
Helpful
10
Replies

VRF - DNS issue

filip00011
Level 1
Level 1

I have two internet connections. I put comcast into its own vrf. ATT is in global routing table. I use PBR to route some traffic to comcast and some to ATT. Everything works, BUT DNS queries which are send to comcast VRF. All the traffic through VRF works (TCP, UDP, ICMP) but I can't push dns through it.

I use 8.8.8.8 and 1.1.1.1 ans DNS.

 

When I created local DNS  server which uses ATT - global routing path. It works.

 

SHORT: DNS queries do not go through VRF.

1 Accepted Solution

Accepted Solutions

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

View solution in original post

10 Replies 10

filip00011
Level 1
Level 1

I found the problem, but I have no idea how to solve it.

DNS queries from subnet 192.168.10.0/24 do not get nat it. 

All other packets from the subnet 192.168.10.0./24 do get nat it.

I have no idea why NAT does not work for DNS query packets.   From the client I can ping DNS server without problem, but when I do sniifertrace I do see that DNS query passes with NAT.

Kevin SAS
Level 1
Level 1

Hello,

 

Could you clarify some points please ?

When you said everything is working, you said, from both inside interface ? gi0/1 and gi0/2?

 

According to the configuration, you have 192.168.10.0 nated from gi0/1, where it is located ? from another core connected and routed through OSPF ?

 

From which source network are you trying? 192.168.10.0/24 ? 

 

On Gi0/2 you are sending all internet trafic to 192.168.11.254, is that correct?

 

Note :Don't know if you wanna match RFC1918 networks in your ACL PBR, but this line is incorrect :

deny ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.255.255

should be :
deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.15.255.255

 

Thanks,

yes I send all traffic from gig0/2 to 192.168.11.254 NO ISSUE HERE.

 

For simplicty:

2 subnets coming from gig 0/1

      192.168.200.0/24 should go out int fast 0/0/3 (VLAN 50) and it goes NO ISSUE HERE

      192.168.10.0/24 should go out int gig 0/0. I am doing sniffer between int gig 0/0 and comcast router. I can see that all packets from 192.168.10.0/24 do get nat it to IP 73.168.139.247 which is on int gig0/0. BUT DNS query packets do not get nat it.

 

On the picture both packets(ICMP AND DNS come from the same host)

Can you post the result for 

show ip nat translation ?

 

You can also try a

ip access 100 permit 192.168.10.92 0.0.0.0

debug ip packet 100

on the router, just be sure to put the good acl to match your source ip

I have no idea why NAT skips DNS traffic. 

PBR2 and then nat-deset should match all IP traffic including DNS query right?

according to your debug,
udp 73.168.*.*:64305 192.168.10.92:64305 1.1.1.1:53 1.1.1.1:53
udp 73.168.*.*:64305 192.168.10.92:64305 8.8.8.8:53 8.8.8.8:53
nat seems to be good, 73.168.139.247 is ip address on gi0/0 ?
So please post a
sho ip route vrf comcast

Yes, it is the IP

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

It WORKS!  THANK YOU

but

When I deleted the first one 

ip nat inside source list nat-deset interface GigabitEthernet0/0 overload. It did not work

I need both and then everything works

 

Do you have any logical explanation why I need both of them?

I am glad it is working now.
I have no explanation right now why you need both nat statement and a little bit tired to test it (again) on lab :)

I will see that another time !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco