NAT/DNS problem

carlosruizz · ‎05-07-2008

Hello all, I am experiencing a problem with my 2600 router running Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), the problem is that "ip dns server" stops working when I set NAT:

ip nat inside source static tcp 192.168.57.171 53 61.XXX.XXX.XXX 53 extendable

ip nat inside source static udp 192.168.57.171 53 61.XXX.XXX.XXX 53 extendable

I need my router to be able to PAT all incomming request from the WAN side to a internal DNS server but at the same time to reply to dns queries for my network, any help is greatly appreciated.

Best Regards

Pravin Phadte · ‎05-09-2008

can u share the DNS and your nat configs

carlosruizz · ‎05-11-2008

Thank you, for your reply, sure here are the configurations used in the lab:

192.168.11.1 (gateway+dns server)

192.168.11.200 (router with the problem)

Current configuration : 1833 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname techno-router

!

boot-start-marker

boot-end-marker

!

enable secret 5 adsfads

enable password 7 dasfasdf

!

no aaa new-model

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

ip name-server 192.168.11.1

!

interface FastEthernet0/0

ip address 192.168.11.200 255.255.255.0

ip access-group 110 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.57.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.11.1

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat pool nat-pool 192.168.11.200 192.168.11.200 netmask 255.255.255.0

ip nat inside source list 10 pool nat-pool overload

ip nat inside source static tcp 192.168.57.171 53 192.168.11.200 53 extendable

ip nat inside source static udp 192.168.57.171 53 192.168.11.200 53 extendable

!

access-list 10 permit 192.168.57.0 0.0.0.255

access-list 110 deny tcp any 192.168.11.0 0.0.0.255 eq telnet

access-list 110 deny icmp any 192.168.11.0 0.0.0.255 8 0

access-list 110 permit ip any any

!

control-plane

!

line con 0

password 7 dasf

login

speed 115200

line aux 0

password 7 adsf

login

line vty 0 4

password 7 adsf

login

!

end

Pravin Phadte · ‎05-12-2008

can you add the below command on the router.

ip domain-lookup

ip domain name company.com

carlosruizz · ‎05-12-2008

Thank you pravinxyz for your reply, ip domain-lookup was already set and I added ip domain name company.com, but the ip dns server still refuses to work, I wonder if there is a way to limit ip dns server to work only for fa0/1 and the PAT -> 53 to work only on fa0/0.

Thank you

Pravin Phadte · ‎05-13-2008

i am not sure what this route is for ?

ip route 0.0.0.0 0.0.0.0 192.168.11.1

I would request you to config a route as below and check.

ip route 192.168.57.0 255.255.255.0 fastethernet0/1

ip route 0.0.0.0 0.0.0.0 fasteternet 0/0

carlosruizz · ‎05-14-2008

Hello pravinxyz thank you,

ip route 0.0.0.0 0.0.0.0 192.168.11.1

is the default gateway

I believe this is a problem related to the way "ip dns server" works, once setup it will enable the dns server (forwarder) withing the router which uses udp 53, when I set the PAT translation to 53 udp, the router internal dns server no longer can use the udp 53, that is why Im looking for a way to confine "ip dns server" to a interface, as well as the PAT redirection.

Regards