cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1479
Views
0
Helpful
37
Replies

Cisco 837 won't resove DNS - config attached

whiteford
Level 1
Level 1

Hi, I have a this config attached, for some reason I can resolve DNS of web sites etc. If I put the IP of the website in it works, I'm sure it's something to do with access-list 101. Hope you can advise.

Also MSN wont work.

If I add access-list 101 permit ip any any

all works, but makes everything un-secure?

2 Accepted Solutions

Accepted Solutions

Andy

I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.

HTH

Rick

HTH

Rick

View solution in original post

Andy

What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:

list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.

HTH

Rick

HTH

Rick

View solution in original post

37 Replies 37

Richard Burts
Hall of Fame
Hall of Fame

Andy

I am not clear whether the problem that you describe is that the router itself can not resolve DNS or that hosts in the LAN connected to the router can not resolve DNS. So let me address both possible issues and you can tell us if either one seems to address your issue.

- router can not resolve DNS. This one is actually pretty simple because I do not see anything in the router config that identifies a DNS server for the router to use. If you want the router to resolve DNS than you need to configure a DNS server that it should access.

- hosts on the LAN can not resolve DNS. I note that the DHCP parameters configured will give the host dns-server 192.168.2.100. But that is the address of the router interface. A router is not a very effective DNS server - especially when the router is not configured with any DNS server to use itself. The best solution is to change the DHCP parameter and identify some real DNS server.

HTH

Rick

HTH

Rick

Thanks, does it make sense why adding access-list 101 ip any any fixes the issue?

Should I add ip name-server to the router or add dns-server to the DHCP scope?

Also in basic what does ip inspect do as a job?

Thanks

Andy

I am a bit surprised that adding permit ip any any to access list 101 fixes the issue. Access list 101 works in conjunction with ip inspect. ip inspect looks at outbound traffic and dynamically creates entries in the inbound access list to permit responses to come in that are responses to traffic initiated outbound from hosts on the inside. Since there is an inspect for DNS then DNS responses should get through. I suspect that there is something that the hosts need which is not provided by the inspect. Since access list 101 does have a deny ip any any at the bottom of the list and since that command includes the log parameter it should be possible to look in the logs and find what is being denied that is needed.

HTH

Rick

HTH

Rick

Thanks, ah so the ip inspect opens ports as and when they are needed on the outbound? Is the 101 list opening the inbound ports then?

How do I see the log then that might help see what's going on?

Many thanks

Hi whiteford,

can you ping the DNS ip from the router itself? If yes, its a NAT issue. I had a similar problem wherein I could ping DNS from router but couldnt ping DNS from clients. I resolved by enabling NAT through SDM

Hi Sunjiiv74, do you have a sample config at hand for my to look at?

thanks

Andy

There are several possibilities of how to see the log which could help see what is going on. If you telnet or SSH to the router then you could do terminal monitor and the log messages should be sent to your telnet or SSH session. Log messages are also sent to the logging buffer. I see in the config that you set the logging buffer to the level of warning which does not show those log messages since the output of ACL processing is level 6. So if you change your config to this:

logging buffered 8192 info

then you should be able to see the log messages by doing show log.

HTH

Rick

HTH

Rick

I'll try that Rick. So how does the Inspect polict work? I see all the ports in the inspect list are the only ones allowed outbound in dialer list 1, if any aren't on there will a user not be able to use that port?

How does access-list 101 work with the inspect list? will a user go outbound say on https (if the inspect rule allow it) and then if access-list 101 allows https back through dialer 1 then the page will be displayed?

Andy

I am a bit puzzled about your comment about the ports specified by inspect and the dialer list. In the config that I am looking at the dialer list permits any IP packet.

Perhaps it would help to start with the observation that inspect is a way of implementing a firewall strategy. Basically the way that inspect works is that you configure inspect to look for certain types of traffic which you want to enable. You configure inspect on the outbound interface. You also configure an access list inbound on that interface (and in that access list you may configure some types of traffic - especially anything that you want to allow in when it is originated from outside). Then inspect looks at the outbound traffic. When it sees outbound traffic that matches what it is looking for it dynamically creates entries in the inbound access list to permit that traffic responses through the inbound access list. This is more precise than the inbound access list could do on its own because in addition to the protocol port numbers it knows the source and destination addresses. The dynamic entries will dynamically be removed from the inbound access list when the traffic stops.

HTH

Rick

HTH

Rick

Hi Rick, its becoming more clearer now, just one thing I don't see http in the inspect list, would that mean a dynamic rule would not be created and stopping a webpage being displayed? Or does http come under something else, I just can't see a rule for http outbound access.

Thanks for your time, ü will add the logging later and let you know what the output is.

Andy

I believe that there are 2 lines in the inspect configuration that help answer this:

ip inspect name SDM_LOW https

ip inspect name SDM_LOW tcp

I believe that the statement for tcp would cover regular http (as compared to https).

HTH

Rick

HTH

Rick

Damn thought I had something! I guess logging it is.

For best practice do you think my routers internet dns is right, I see there is an ip name-server option for the router to use.

Andy

It does seem kind of logical to assume that since there is an inspect for HTTP that if you do not inspect HTTP then it might not be permitted. But as I read about the inspect process I find that inspect http is there to allow you to do filtering on java and that normal http traffic is generally processed by the inspect tcp.

I note that the config has no ip cef configured and wonder if there is a reason for that? I wondered if that might impact the inspect process but I did find a reference that says that inspect works with process switched traffic. I am afraid that my suggestion at this point is to enable logging on the ACL deny statements and try to find what is being denied that is critical.

As for the question about name-server, that is what I am most used to seeing and using on the router. But the more that I look at this config the more that I think what you are doing with ppp ipcp dns request may fit your situation.

HTH

Rick

HTH

Rick

Andy

Now that I have answered that I have come up with a new theory about the problem. You have configured the router to act as the DNS server for the inside hosts. And there is no existing rule in access list 101 to permit inbound DNS. For inside hosts the inspect udp should permit their DNS traffic. But their DNS request would go to the router. And inspect examines traffic going through the router but does not examine traffic for which the router is the source or the destination.

So my theory is that the router DNS requests are not being inspected and therefore there is no dynamic rule to permit responses to the router DNS request. You could check this either by changing the config of the DHCP and instead of specifying the router as the DNS put in a valid external DNS server address. Or you could check it by creating a permit in access list to permit inbound DNS.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: