NAT/DNS problem

Unanswered Question
May 7th, 2008
User Badges:

Hello all, I am experiencing a problem with my 2600 router running Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), the problem is that "ip dns server" stops working when I set NAT:

ip nat inside source static tcp 192.168.57.171 53 61.XXX.XXX.XXX 53 extendable

ip nat inside source static udp 192.168.57.171 53 61.XXX.XXX.XXX 53 extendable


I need my router to be able to PAT all incomming request from the WAN side to a internal DNS server but at the same time to reply to dns queries for my network, any help is greatly appreciated.


Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pravin Phadte Fri, 05/09/2008 - 03:55
User Badges:
  • Silver, 250 points or more

can u share the DNS and your nat configs

carlosruizz Sun, 05/11/2008 - 22:06
User Badges:

Thank you, for your reply, sure here are the configurations used in the lab:


192.168.11.1 (gateway+dns server)

192.168.11.200 (router with the problem)


Current configuration : 1833 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname techno-router

!

boot-start-marker

boot-end-marker

!

enable secret 5 adsfads

enable password 7 dasfasdf

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

ip name-server 192.168.11.1

!

!

interface FastEthernet0/0

ip address 192.168.11.200 255.255.255.0

ip access-group 110 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.57.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.1

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat pool nat-pool 192.168.11.200 192.168.11.200 netmask 255.255.255.0

ip nat inside source list 10 pool nat-pool overload

ip nat inside source static tcp 192.168.57.171 53 192.168.11.200 53 extendable

ip nat inside source static udp 192.168.57.171 53 192.168.11.200 53 extendable

!

access-list 10 permit 192.168.57.0 0.0.0.255

access-list 110 deny tcp any 192.168.11.0 0.0.0.255 eq telnet

access-list 110 deny icmp any 192.168.11.0 0.0.0.255 8 0

access-list 110 permit ip any any

!

!

!

control-plane

!

line con 0

password 7 dasf

login

speed 115200

line aux 0

password 7 adsf

login

line vty 0 4

password 7 adsf

login

!

!

end

Pravin Phadte Mon, 05/12/2008 - 01:53
User Badges:
  • Silver, 250 points or more

can you add the below command on the router.


ip domain-lookup

ip domain name company.com

carlosruizz Mon, 05/12/2008 - 20:11
User Badges:

Thank you pravinxyz for your reply, ip domain-lookup was already set and I added ip domain name company.com, but the ip dns server still refuses to work, I wonder if there is a way to limit ip dns server to work only for fa0/1 and the PAT -> 53 to work only on fa0/0.


Thank you

Pravin Phadte Tue, 05/13/2008 - 05:21
User Badges:
  • Silver, 250 points or more

i am not sure what this route is for ?

ip route 0.0.0.0 0.0.0.0 192.168.11.1


I would request you to config a route as below and check.


ip route 192.168.57.0 255.255.255.0 fastethernet0/1

ip route 0.0.0.0 0.0.0.0 fasteternet 0/0

carlosruizz Wed, 05/14/2008 - 00:30
User Badges:

Hello pravinxyz thank you,


ip route 0.0.0.0 0.0.0.0 192.168.11.1

is the default gateway


I believe this is a problem related to the way "ip dns server" works, once setup it will enable the dns server (forwarder) withing the router which uses udp 53, when I set the PAT translation to 53 udp, the router internal dns server no longer can use the udp 53, that is why Im looking for a way to confine "ip dns server" to a interface, as well as the PAT redirection.


Regards

Actions

This Discussion