Cisco 837 won't resove DNS - config attached

Answered Question
Nov 11th, 2007
User Badges:

Hi, I have a this config attached, for some reason I can resolve DNS of web sites etc. If I put the IP of the website in it works, I'm sure it's something to do with access-list 101. Hope you can advise.


Also MSN wont work.


If I add access-list 101 permit ip any any

all works, but makes everything un-secure?



Attachment: 
Correct Answer by Richard Burts about 9 years 5 months ago

Andy


What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:

list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.


HTH


Rick

Correct Answer by Richard Burts about 9 years 5 months ago

Andy


I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Sun, 11/11/2007 - 14:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I am not clear whether the problem that you describe is that the router itself can not resolve DNS or that hosts in the LAN connected to the router can not resolve DNS. So let me address both possible issues and you can tell us if either one seems to address your issue.

- router can not resolve DNS. This one is actually pretty simple because I do not see anything in the router config that identifies a DNS server for the router to use. If you want the router to resolve DNS than you need to configure a DNS server that it should access.

- hosts on the LAN can not resolve DNS. I note that the DHCP parameters configured will give the host dns-server 192.168.2.100. But that is the address of the router interface. A router is not a very effective DNS server - especially when the router is not configured with any DNS server to use itself. The best solution is to change the DHCP parameter and identify some real DNS server.


HTH


Rick

whiteford Sun, 11/11/2007 - 14:11
User Badges:

Thanks, does it make sense why adding access-list 101 ip any any fixes the issue?


Should I add ip name-server to the router or add dns-server to the DHCP scope?


Also in basic what does ip inspect do as a job?


Thanks

Richard Burts Sun, 11/11/2007 - 14:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I am a bit surprised that adding permit ip any any to access list 101 fixes the issue. Access list 101 works in conjunction with ip inspect. ip inspect looks at outbound traffic and dynamically creates entries in the inbound access list to permit responses to come in that are responses to traffic initiated outbound from hosts on the inside. Since there is an inspect for DNS then DNS responses should get through. I suspect that there is something that the hosts need which is not provided by the inspect. Since access list 101 does have a deny ip any any at the bottom of the list and since that command includes the log parameter it should be possible to look in the logs and find what is being denied that is needed.


HTH


Rick

whiteford Sun, 11/11/2007 - 22:43
User Badges:

Thanks, ah so the ip inspect opens ports as and when they are needed on the outbound? Is the 101 list opening the inbound ports then?


How do I see the log then that might help see what's going on?



Many thanks

sunjiiv74 Mon, 11/12/2007 - 05:02
User Badges:

Hi whiteford,


can you ping the DNS ip from the router itself? If yes, its a NAT issue. I had a similar problem wherein I could ping DNS from router but couldnt ping DNS from clients. I resolved by enabling NAT through SDM

whiteford Mon, 11/12/2007 - 07:00
User Badges:

Hi Sunjiiv74, do you have a sample config at hand for my to look at?


thanks

Richard Burts Mon, 11/12/2007 - 07:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


There are several possibilities of how to see the log which could help see what is going on. If you telnet or SSH to the router then you could do terminal monitor and the log messages should be sent to your telnet or SSH session. Log messages are also sent to the logging buffer. I see in the config that you set the logging buffer to the level of warning which does not show those log messages since the output of ACL processing is level 6. So if you change your config to this:

logging buffered 8192 info

then you should be able to see the log messages by doing show log.


HTH


Rick

whiteford Mon, 11/12/2007 - 08:04
User Badges:

I'll try that Rick. So how does the Inspect polict work? I see all the ports in the inspect list are the only ones allowed outbound in dialer list 1, if any aren't on there will a user not be able to use that port?


How does access-list 101 work with the inspect list? will a user go outbound say on https (if the inspect rule allow it) and then if access-list 101 allows https back through dialer 1 then the page will be displayed?

Richard Burts Mon, 11/12/2007 - 09:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I am a bit puzzled about your comment about the ports specified by inspect and the dialer list. In the config that I am looking at the dialer list permits any IP packet.


Perhaps it would help to start with the observation that inspect is a way of implementing a firewall strategy. Basically the way that inspect works is that you configure inspect to look for certain types of traffic which you want to enable. You configure inspect on the outbound interface. You also configure an access list inbound on that interface (and in that access list you may configure some types of traffic - especially anything that you want to allow in when it is originated from outside). Then inspect looks at the outbound traffic. When it sees outbound traffic that matches what it is looking for it dynamically creates entries in the inbound access list to permit that traffic responses through the inbound access list. This is more precise than the inbound access list could do on its own because in addition to the protocol port numbers it knows the source and destination addresses. The dynamic entries will dynamically be removed from the inbound access list when the traffic stops.


HTH


Rick

whiteford Mon, 11/12/2007 - 09:52
User Badges:

Hi Rick, its becoming more clearer now, just one thing I don't see http in the inspect list, would that mean a dynamic rule would not be created and stopping a webpage being displayed? Or does http come under something else, I just can't see a rule for http outbound access.


Thanks for your time, ü will add the logging later and let you know what the output is.

Richard Burts Mon, 11/12/2007 - 10:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I believe that there are 2 lines in the inspect configuration that help answer this:

ip inspect name SDM_LOW https

ip inspect name SDM_LOW tcp

I believe that the statement for tcp would cover regular http (as compared to https).


HTH


Rick

whiteford Mon, 11/12/2007 - 10:11
User Badges:

Damn thought I had something! I guess logging it is.


For best practice do you think my routers internet dns is right, I see there is an ip name-server option for the router to use.

Richard Burts Mon, 11/12/2007 - 13:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


It does seem kind of logical to assume that since there is an inspect for HTTP that if you do not inspect HTTP then it might not be permitted. But as I read about the inspect process I find that inspect http is there to allow you to do filtering on java and that normal http traffic is generally processed by the inspect tcp.


I note that the config has no ip cef configured and wonder if there is a reason for that? I wondered if that might impact the inspect process but I did find a reference that says that inspect works with process switched traffic. I am afraid that my suggestion at this point is to enable logging on the ACL deny statements and try to find what is being denied that is critical.


As for the question about name-server, that is what I am most used to seeing and using on the router. But the more that I look at this config the more that I think what you are doing with ppp ipcp dns request may fit your situation.


HTH


Rick

Richard Burts Mon, 11/12/2007 - 13:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Now that I have answered that I have come up with a new theory about the problem. You have configured the router to act as the DNS server for the inside hosts. And there is no existing rule in access list 101 to permit inbound DNS. For inside hosts the inspect udp should permit their DNS traffic. But their DNS request would go to the router. And inspect examines traffic going through the router but does not examine traffic for which the router is the source or the destination.


So my theory is that the router DNS requests are not being inspected and therefore there is no dynamic rule to permit responses to the router DNS request. You could check this either by changing the config of the DHCP and instead of specifying the router as the DNS put in a valid external DNS server address. Or you could check it by creating a permit in access list to permit inbound DNS.


HTH


Rick

whiteford Tue, 11/13/2007 - 04:33
User Badges:

Hi, I will get the log file tonight, I posted last night (UK time) but must of dreamed it!


I saw the log showing that access-list 101 was denying access when ever I tried to access a website or MSN though.


Should I also be using "IP name-servers" in the config? and get the DHCP scope to point to external DNS servers? I'm not sure what the best practise is for this?

Richard Burts Tue, 11/13/2007 - 06:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


What I am particularly interested in from the log is what specific traffic is being denied. In my previous response I proposed a theory that the problem is that inspect does not examine traffic where the router itself is the source or the destination. So inspect should not create a permit for the router DNS request. And if the hosts are using the router as their DNS server, then that would be the problem. Seeing the log file could help confirm this. Putting an explicit permit into access list 101 for DNS to the router would be one way to fix it (assuming that I am right) or changing your DHCP configuration so that you do not give the router address as the DNS server to clients would be another way to fix it.


So post the file or make one of these changes.


HTH


Rick

whiteford Tue, 11/13/2007 - 06:41
User Badges:

Hi, I will get this log for you. If I just add a couple of DNS servers to the users DHCPO scope will I have to do anything else, like remove anything or should that be enough, as you said about those DNS settings in the dialer interface? I will get the log first though as it will be nice to see what this could be.

Richard Burts Tue, 11/13/2007 - 06:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


If you add a couple of DNS servers to the DHCP scope I do not believe that you would have to do anything else (assuming that the configuration which specifies the router address as DNS server is overwritten in the process of configuring the DNS servers).


I agree that it would be nice to see the log and to see if it verifies my theory.


HTH


Rick

whiteford Tue, 11/13/2007 - 11:18
User Badges:

Rick,


Here it is, 80.92.129.253 is my outside address:


Nov 13 19:03:35.086: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.110.90(1863) -> 80.92.129.253(1043), 1 packet

Nov 13 19:03:40.314: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:03:51.444: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:04:08.240: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.22.108.100(6348) -> 80.92.129.253(35191), 1 packet

Nov 13 19:04:28.244: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.109.54(23048) -> 80.92.129.253(1026), 1 packet

Nov 13 19:04:52.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 199.106.212.28(80) -> 80.92.129.253(1087), 1 packet

Nov 13 19:10:20.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.192.113.155(1265) -> 80.92.129.253(445), 1 packet d

Nov 13 19:10:22.099: %SEC-6-IPACCESSLOGP: list 101 denied udp 172.201.128.131(8087) -> 80.92.129.253(35191), 1 packet

Richard Burts Tue, 11/13/2007 - 11:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Thanks for posting the log output. I believe that it does confirm my theory of what is causing the problem: the client sends a DNS request to the router, the router sends a DNS request to the servers it leaned from the provider, and ACL 101 is denying the response coming to the router. And the reason that things work when you change ACL 101 to permit ip any any is that it then permits the router DNS, but as you comment it reduces the degree of security.


I believe that you can solve this immediate issue by putting a statement into ACL 101 to permit DNS responses to the router. Be aware that since the router is negotiating its address that the address might change over time.


I believe that you could also fix this immediate issue by changing your DHCP scope and putting some real DNS server into the scope rather than using the router address as the DNS server for the clients.


There may also be some issue that you need to look at concerning the other traffic to the router address that is being denied. Perhaps you can identify what this other traffic is and whether you needs permits in ACL 101 for other router traffic as well as DNS.


HTH


Rick

whiteford Tue, 11/13/2007 - 13:01
User Badges:

Hi, everything I have tried seems to work now I have amended the DHCP scope's DNS servers to 3 external ones.


I do get these pop up when I'm not doing anything, If I run an nslookup against them they seem to be from my ISP I think.


Nov 13 20:55:38.861: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.198.54.60(2529) -> 90.198.235.164(135), 1 packet

Nov 13 20:55:54.881: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.94.244(4028) -> 90.198.235.164(1026), 1 packet

H0m3#

Nov 13 20:56:55.416: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 90.198.235.164(56311), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 90.198.235.164(50746), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.109.91(1863) -> 90.198.235.164(1676), 12 packets


Correct Answer
Richard Burts Tue, 11/13/2007 - 13:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.


HTH


Rick

whiteford Tue, 11/13/2007 - 13:21
User Badges:

The only part the concerns me is when I try and use my Cisco VPN client to my works concentrator on 1.2.3.4 it connects but I can't access anything or ping anything at work:


Nov 13 21:18:55.439: %SEC-6-IPACCESSLOGNP: list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets


Do I need some gre rule or something?


Correct Answer
Richard Burts Tue, 11/13/2007 - 14:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:

list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.


HTH


Rick

whiteford Tue, 11/13/2007 - 14:17
User Badges:

I will try this and let you know, and I will rate the post as its been so useful.

whiteford Wed, 11/14/2007 - 01:57
User Badges:

Hi, should telnet work from a remote Internet host on this config? I have added, but can't gain access from another location via telnet, I wouldn't mind the SDM too, I haven't got a static address, so will try to use DDNS at some point again as I tried and failed at that :):


access-list 50 permit 4.3.2.1


line vty 0 4

access-class 50 in

privilege level 15

login local

transport input telnet

transport output all

Richard Burts Wed, 11/14/2007 - 03:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I would not expect telnet from an Internet host to work with the existing config. Putting an entry into access list 50 to permit remote access from the host is an important part of enabling access but is not enough. You also need an entry in access list 101 to permit the inbound telnet. And if you want to use SDM then you would need permit statements for that also.


If you are going to be doing remote access from an Internet host it might be good to think about using SSH rather than telnet. SSH provides similar functions as telnet and is much more secure.


HTH


Rick

Richard Burts Wed, 11/14/2007 - 10:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Yes SSH is easy to configure. You do need to verify that the feature set of the code that you are running will support SSH (that it supports encryption). You will need to generate RSA keys (and generation of RSA keys needs to have a unique host name and a domain name - the config that you posted looks like it has the host name blanked out and I do not see a domain name). If you are running fairly recent code you probably want to configure to specify SSH version 2. I see that you already have the vty lines configured with transport input telnet ssh so they should be good to go with SSH.


HTH


Rick

whiteford Wed, 11/14/2007 - 10:55
User Badges:

Great, do you the example code I need to add for ssh? I will give it a go.

Thanks

Richard Burts Wed, 11/14/2007 - 11:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


try this:

config t

crypto key generate rsa general-keysmodulus 1024

ip ssh version 2

end

you should then be able to access the router using SSH.


HTH


Rick

whiteford Wed, 11/14/2007 - 11:34
User Badges:

Also you said I need to configure a domain? I don't have one where this router is, do I make one up?

Richard Burts Wed, 11/14/2007 - 11:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I would assume that you should make one up if there is not one already.


HTH


Rick

whiteford Fri, 11/16/2007 - 13:07
User Badges:

Hi Rick, I was just wondering if you have had any experience in DDNS? I have add the commands into the CLI but it looks like it wants to send my inside router address out to update my domain name and not the outside address, not sure if it's my NAT's doing this.




Richard Burts Fri, 11/16/2007 - 13:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Dynamic DNS is an area that I do not have much experience with. What happens if you leave the DDNS configuration under the dialer interface but not under the Ethernet interface?


HTH


Rick

whiteford Fri, 11/16/2007 - 14:04
User Badges:

Yeah I tried that, but the output log is the same. The first part of the log looks good, but the second part it then goes to use the inside address to send to dyndns.org



Actions

This Discussion