Solved: Unable to forward DNS on a 2610

scott.k.logan · ‎08-23-2009

I've got some extensive port forwarding setup, and all of it works, except DNS. The word on Google is, that Cisco NAT modifies the DNS packets somehow. I can't seem to find a way to fix this.

I have to forward the DNS packets just like any others. Port 53 seems to be open, but all DNS queries fail.

Here is my forwarding config:

ip nat pool server-primary 192.168.1.4 192.168.1.4 netmask 255.255.255.0 type rotary

ip nat inside source list 1 interface Ethernet1/0 overload

ip nat inside destination list 100 pool server-primary

ip route 0.0.0.0 0.0.0.0 69.xx.xx.xx

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq 143

access-list 100 permit udp any any eq 143

access-list 100 permit tcp any any eq domain

access-list 100 permit udp any any eq domain

dialer-list 1 protocol ip permit

Like I said, all of the forwards work...but DNS gives me issues.

Thanks in advance,

--scott

Peter Paluch · ‎08-24-2009

Hello Scott,

I understand better now.

Well, what you have configured here using the "ip nat inside destination" is TCP load balancing. You may read more here:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1048769

I am afraid that if this feature is called the TCP Load Balancing in the documentation, it won't work with UDP packets. I haven't used this so far so I don't have first hand experiences but it does appear logical to me.

What I suggest is stop mixing the "ip nat inside source" with "ip nat inside destination" and instead define a series of static mappings between an internal and external IP and service. Your configuration could be rewritten as follows:

ip nat inside source static tcp 192.168.1.4 25 interface E1/0 25 ! SMTP

ip nat inside source static tcp 192.168.1.4 53 interface E1/0 53 ! DNS

ip nat inside source static udp 192.168.1.4 53 interface E1/0 53 ! DNS

ip nat inside source static tcp 192.168.1.4 80 interface E1/0 80 ! HTTP

ip nat inside source static tcp 192.168.1.4 143 interface E1/0 143 ! IMAP

ip nat inside source static udp 192.168.1.4 143 interface E1/0 143 ! IMAP

!

ip nat inside source list 1 interface E1/0 overload

Make sure that the last command with the overload for the entire network comes as the last in the list. The "ip nat inside destination" command together with the pool server-primary can be removed.

A slight hint - I think that the IMAP uses TCP only. Are you sure you need translation for UDP/143 port?

Best regards,

Peter

View solution in original post

paolo bevilacqua · ‎08-24-2009

For the configuration above, you're not forwarding anything.

Expaing what you're trying to do and an answer can be give.

scott.k.logan · ‎08-24-2009

There is a method for "port range" forwarding using access lists. I've tried "ip nat inside source static udp 192.168.1.4 80 Ethernet 1/0 53" and it grants the same results. All of the other ports forward just fine (80, 143, 25) and canyouseeme says that port 53 is open, but for some reason none of the DNS packets make it through. I've ran Wireshark on the server and it confirms these findings. There are HTTP packets, but no DNS make it.

Thanks,

--scott

Peter Paluch · ‎08-24-2009

Hi Scott,

Please try to post more of your configuration if possible. You have posted an excerpt but only after scrutinizing it longer I guessed that you have an internal network that you are hiding behind the E1/0 interface and that there is another internal network (that same as before? different? I can't say) from which you want to export selected TCP/UDP to the outside world.

You are saying that the DNS does not seem to work. Are you able to sniff the packets at the DNS server to see if the requests arrive? And also, are you able to sniff the DNS replies after they traverse your NAT box and see if they have been changed in their contents?

From what you have indicated here it is not clear whether the DNS messages are not delivered at all or if just an inappropriate translation of their contents is taking place. You should make yourself clear in this issue.

Best regards,

Peter

scott.k.logan · ‎08-24-2009

You're right, my apologies. I will explain in more detail:

I'm using a 2610 with the enterprise IOS. ETH0/0 is my internal lan, 192.168.1.0/24 and ETH1/0 is the internet, 69.x.x.x. I'm running a master DNS server as well as IMAP and HTTP. With this config, IMAP and HTTP both work correctly, but DNS does not. If I try to telnet to port 53 outside the network, the connection opens correctly. But when a DNS query comes into ETH1/0, the packet seems to stop there and does not reach the server, 192.168.1.4. Again, my apologies for the lack of details. Thank you both for your timely responses!

My full running-config is attached.

Peter Paluch · ‎08-24-2009