DNS issue out a NAT

Unanswered Question
Oct 23rd, 2009

I have a Cisco 877 that has a ADSL interface and two internal VLANS assigned to different switch ports. Running ADV IP Services.

The problem I have is that I cannot get the host in the VLAN3 ( to access DNS servers on the Internet. There are no denies from the access lists and it can seem to access everything else on the internet and even DNS on the other VLAN. Hosts on the other VLAN have no problem accessing DNS servers on the Internet.

Attached is the sanitised config. If anyone has any ideas that would be great. I have opened up the access-lists to access an internal DNS for the mean time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Peter Paluch Fri, 10/23/2009 - 01:07

Hi Scott,

I have went briefly over your configuration - it does not seem to have any obvious errors. Are you suggesting that the host cannot talk to outside DNS servers? What exactly does it mean? Is it able to at least ping them? Is it possible to see in Wireshark if the DNS queries are indeed sent out? Are also any DNS responses arriving back?

Let's try to have a close look on what exactly happens to the DNS queries sent by that host. I also suggest creating an ACL 1 in the form

access-list 1 permit

and then running the

debug ip nat 1 detailed

to see what exactly is going on at the router.

Best regards,


scottyd Sat, 10/24/2009 - 10:32

Hi Peter,

Thanks for the reply. Yes that is right the host cannot get a response from any DNS servers. They don't respond to ping, as far as I know, so we can't test that. I do see a translation in place for the servers though.

The router is in another country, so it is hard to get a wireshark capture, but your other ideas may help.


lgijssel Fri, 10/23/2009 - 01:14

Are you using the same DNS for both vlans? From your acl WAN_IN it appears that only one dns is allowed from the outside:

ip access-list extended WAN_IN

permit udp host eq domain any



scottyd Sat, 10/24/2009 - 10:40

Hi Leo,

Thanks for the reply. I have tried the same DNS server from both hosts, actually not I am not sure why that is there. I think the statefull firewall will allow the return traffic.




This Discussion