Solved: Re: VRF - DNS issue

filip00011 · ‎05-07-2018

I have two internet connections. I put comcast into its own vrf. ATT is in global routing table. I use PBR to route some traffic to comcast and some to ATT. Everything works, BUT DNS queries which are send to comcast VRF. All the traffic through VRF works (TCP, UDP, ICMP) but I can't push dns through it.

I use 8.8.8.8 and 1.1.1.1 ans DNS.

When I created local DNS server which uses ATT - global routing path. It works.

SHORT: DNS queries do not go through VRF.

Kevin SAS · ‎05-07-2018

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

View solution in original post

filip00011 · ‎05-07-2018

I found the problem, but I have no idea how to solve it.

DNS queries from subnet 192.168.10.0/24 do not get nat it.

All other packets from the subnet 192.168.10.0./24 do get nat it.

I have no idea why NAT does not work for DNS query packets. From the client I can ping DNS server without problem, but when I do sniifertrace I do see that DNS query passes with NAT.

Kevin SAS · ‎05-07-2018

Hello,

Could you clarify some points please ?

When you said everything is working, you said, from both inside interface ? gi0/1 and gi0/2?

According to the configuration, you have 192.168.10.0 nated from gi0/1, where it is located ? from another core connected and routed through OSPF ?

From which source network are you trying? 192.168.10.0/24 ?

On Gi0/2 you are sending all internet trafic to 192.168.11.254, is that correct?

Note :Don't know if you wanna match RFC1918 networks in your ACL PBR, but this line is incorrect :

deny ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.255.255

should be :
deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.15.255.255

Thanks,

filip00011 · ‎05-07-2018

yes I send all traffic from gig0/2 to 192.168.11.254 NO ISSUE HERE.

For simplicty:

2 subnets coming from gig 0/1

192.168.200.0/24 should go out int fast 0/0/3 (VLAN 50) and it goes NO ISSUE HERE

192.168.10.0/24 should go out int gig 0/0. I am doing sniffer between int gig 0/0 and comcast router. I can see that all packets from 192.168.10.0/24 do get nat it to IP 73.168.139.247 which is on int gig0/0. BUT DNS query packets do not get nat it.

On the picture both packets(ICMP AND DNS come from the same host)

Kevin SAS · ‎05-07-2018

Can you post the result for

show ip nat translation ?

You can also try a

ip access 100 permit 192.168.10.92 0.0.0.0

debug ip packet 100

on the router, just be sure to put the good acl to match your source ip

filip00011 · ‎05-07-2018

I have no idea why NAT skips DNS traffic.

PBR2 and then nat-deset should match all IP traffic including DNS query right?

Kevin SAS · ‎05-07-2018

according to your debug,
udp 73.168.*.*:64305 192.168.10.92:64305 1.1.1.1:53 1.1.1.1:53
udp 73.168.*.*:64305 192.168.10.92:64305 8.8.8.8:53 8.8.8.8:53
nat seems to be good, 73.168.139.247 is ip address on gi0/0 ?
So please post a
sho ip route vrf comcast

filip00011 · ‎05-07-2018

Yes, it is the IP

Kevin SAS · ‎05-07-2018

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

filip00011 · ‎05-07-2018

It WORKS! THANK YOU

but

When I deleted the first one

ip nat inside source list nat-deset interface GigabitEthernet0/0 overload. It did not work

I need both and then everything works

Do you have any logical explanation why I need both of them?

Kevin SAS · ‎05-07-2018

I am glad it is working now.
I have no explanation right now why you need both nat statement and a little bit tired to test it (again) on lab :)

I will see that another time !