cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
912
Views
0
Helpful
2
Replies

NAT and DNS Problem

simon.irwin
Level 1
Level 1

Hi,

I am using a 2811 router with an internal "inside" interface (172.17.254.5) and external "Outside" interface (172.24.170.39).  NAT is working fine for all packets except DNS querys that are made from clients on the inside interface to a DNS server on the outside interface.  (DNS server 172.16.10.14)

I have ran a debug ip nat detailed and can see the packets are dropped but I don't know why.  Have I missed something obivouse?

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 1 permit 172.16.4.0 0.0.3.255

ip nat inside source list 1 interface fastethernet0/1 overload

There are no access-lists applied to either interface, and I can ping successfully to the DNS server.  I run

sh ip nat trans shows me it is translating.

Output form debug ip nat detailed - so far so good for pings.

*Jul  2 09:08:59.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1208]
*Jul  2 09:08:59.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10491]
*Jul  2 09:08:59.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10491]
*Jul  2 09:09:00.921: NAT*: i: icmp (192.168.100.1, 512) -> (10.8.27.71, 512) [1211]
*Jul  2 09:09:00.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1211]
*Jul  2 09:09:00.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10537]
*Jul  2 09:09:00.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10537]

Next part is an internal client ip 192.168.100.1 sending a DNS packet.


Jul  2 10:16:17.427: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 51919 got 51919
Jul  2 10:16:17.431: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul  2 10:16:23.103:  mapping pointer available mapping:0
Jul  2 10:16:23.103: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 54879 got 54879
Jul  2 10:16:23.103: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul  2 10:16:25.395:  mapping pointer available mapping:0
Jul  2 10:16:25.395: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 60291 got 60291

Is it some sort of bug in the IOS or am I missing something out?

2 Replies 2

Alexander Deems
Level 1
Level 1

I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.

Alex

I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.

Alex

Alex,

Yes you are right with access list 1 allowing that subnet, but access list 1 also contains my other subnet 192.168.100.0 - 192.168.100.255.  Clients from both subnets can ping and the icmp's are "natted",  it just seems to be dns requests from either subnet

172.16.4.0/22 (0.0.3.255)

192.168.100.0/24.(0.0.0.255)


Output from sh ip access list 1

Standard IP access list 1
    10 permit 192.168.100.0, wildcard bits 0.0.0.255 (2 matches)
    20 permit 172.16.4.0, wildcard bits 0.0.3.255 (276 matches)

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco