Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
2
Replies

DNS Authoritive Servers and IP NAT outside source being blocked

networksavvy
Level 1
Level 1

‎01-10-2008 10:59 AM - edited ‎03-05-2019 08:23 PM

On my 1841 Router. I appreciate any help! Normal SMTP from the outside coming into our NAT'ed router to the SMTP server 10.1.3.134 does not work. If we do nslookups on our internal DNS servers they fail. Our internal DNS servers are not able to contact the external authoritive master servers. I have domain, 25 opened.

This config works on another router at another company I have configured in the past.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname KM-1841-OAP

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

clock timezone Chicago -6

clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

ip cef

!

!

!

!

ip domain name xxxxxx.com

ip name-server ISP DNS1

ip name-server ISP DNS2

!

!

interface FastEthernet0/0

description LAN$ES_LAN$$FW_INSIDE$$ETH-LAN$

ip address 10.1.3.30 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description CENTURYTEL-INTET$FW_OUTSIDE$$ETH-WAN$

ip address 69.x.x.x 255.255.255.248

ip access-group INBOUND in

ip access-group OUTBOUND out

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip route 0.0.0.0 0.0.0.0 69.x.x.x

!

!

ip http server

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list INSIDE_NAT_ADDRESSES interface FastEthernet0/1 overloa

d

ip nat outside source static tcp 69.x.x.x 25 10.1.3.134 25 extendable

!

ip access-list standard INSIDE_NAT_ADDRESSES

permit 10.0.0.0 0.255.255.255

!

ip access-list extended INBOUND

remark ---applied to traffic entering the office---

permit tcp any any established

permit icmp any any echo-reply

permit tcp any host 10.1.3.6 eq 1494

permit tcp any host 10.1.3.6 eq 88

permit udp host 10.1.3.102 any

permit udp host 10.1.3.104 any

permit udp any host 10.1.3.102

permit udp any host 10.1.3.104

permit tcp any host 10.1.3.21 eq 3389

permit tcp any host 10.1.3.2 eq www

permit tcp any host 10.1.3.134 eq smtp

ip access-list extended OUTBOUND

remark ---applied to traffic leaving the office---

permit tcp any any eq www

permit tcp any any eq 443

permit icmp any any echo

permit tcp any host 199.80.65.1 eq 9000

permit tcp any host 69.2.40.5 eq 5088

permit tcp any host 65.206.239.163 eq 60000

permit tcp any any eq ftp

permit tcp any any eq 37

permit tcp any any eq nntp

permit tcp any any eq 2096

permit tcp any any eq 2095

permit tcp any any eq 2082

permit tcp any any eq 3389

permit tcp any any eq telnet

permit tcp any any eq pop3

permit tcp any any eq 8090

permit tcp host 10.1.3.40 any eq smtp

permit tcp host 10.1.3.102 any eq smtp

permit tcp host 10.1.3.104 any eq smtp

permit tcp host 10.1.3.103 any eq smtp

permit tcp host 10.1.3.108 any eq smtp

permit tcp host 10.1.3.134 any eq smtp

permit tcp any any eq 1494

permit tcp any any eq 7777

permit tcp any any eq 554

permit tcp any any eq 3101

permit udp any any eq isakmp

permit tcp any any eq 4043

permit udp any any eq 4043

permit tcp any any eq 8000

permit tcp host 10.1.3.102 any

permit tcp host 10.1.3.104 any

permit udp host 10.1.3.102 any

permit udp host 10.1.3.104 any

permit udp any any eq domain

permit tcp any any eq domain

permit tcp any any eq 2086

permit tcp any any eq 2087

permit tcp any any eq smtp

permit tcp host 10.1.3.200 any

!

!

!

control-plane

!

!

banner motd ^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15 0

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178416

ntp update-calendar

ntp server 10.1.3.104 source FastEthernet0/0 prefer

end

Labels:
0 Helpful
2 Replies 2

networksavvy
Level 1
Level 1

‎01-10-2008 05:44 PM

Anyone? I would be so in debt to you. I've even tried permit udp any any and permit tcp any any and nothing. I've tried using 53 instead of domain, played with the INBOUND and OUTBOUND list - nothing. I would even donate 20.00 :) I know for a fact DNS wasn't this hard to configure on the last 1841 I used.

The only way I can get it working is by removing the acl from the interface or adding permit ip any any in the list.

Thanks in advance!

0 Helpful

adam.sellhorn
Level 4
Level 4

‎01-11-2008 08:04 AM

Your inbound acl needs to have the 69.x.x.x address(es) for the destination address since the outside interface is Internet facing. It is unlikely that the outside interface will see traffic with the destination of 10.1.3.x. For example:

instead of permit tcp any host 10.1.3.134 eq smtp

you will want permit tcp any host 69.x.x.x eq smtp

where 69.x.x.x is the mapped address of your mail server 10.1.3.134.

I belive you will also need to have a line like this to get your internal DNS server to work correctly.

permit udp any eq domain host 69.x.x.x (Ouside interface IP that is overloaded)

Here is a link that can help configuring a cisco router to be a firewall without having the firewall feature set:

http://www.dslreports.com/faq/14453

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card