07-02-2010 05:45 AM - edited 03-04-2019 08:57 AM
Hi,
I am using a 2811 router with an internal "inside" interface (172.17.254.5) and external "Outside" interface (172.24.170.39). NAT is working fine for all packets except DNS querys that are made from clients on the inside interface to a DNS server on the outside interface. (DNS server 172.16.10.14)
I have ran a debug ip nat detailed and can see the packets are dropped but I don't know why. Have I missed something obivouse?
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 172.16.4.0 0.0.3.255
ip nat inside source list 1 interface fastethernet0/1 overload
There are no access-lists applied to either interface, and I can ping successfully to the DNS server. I run
sh ip nat trans shows me it is translating.
Output form debug ip nat detailed - so far so good for pings.
*Jul 2 09:08:59.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1208]
*Jul 2 09:08:59.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10491]
*Jul 2 09:08:59.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10491]
*Jul 2 09:09:00.921: NAT*: i: icmp (192.168.100.1, 512) -> (10.8.27.71, 512) [1211]
*Jul 2 09:09:00.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1211]
*Jul 2 09:09:00.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10537]
*Jul 2 09:09:00.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10537]
Next part is an internal client ip 192.168.100.1 sending a DNS packet.
Jul 2 10:16:17.427: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 51919 got 51919
Jul 2 10:16:17.431: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul 2 10:16:23.103: mapping pointer available mapping:0
Jul 2 10:16:23.103: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 54879 got 54879
Jul 2 10:16:23.103: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul 2 10:16:25.395: mapping pointer available mapping:0
Jul 2 10:16:25.395: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 60291 got 60291
Is it some sort of bug in the IOS or am I missing something out?
07-02-2010 06:50 AM
I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.
Alex
07-02-2010 07:54 AM
I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.
Alex
Alex,
Yes you are right with access list 1 allowing that subnet, but access list 1 also contains my other subnet 192.168.100.0 - 192.168.100.255. Clients from both subnets can ping and the icmp's are "natted", it just seems to be dns requests from either subnet
172.16.4.0/22 (0.0.3.255)
192.168.100.0/24.(0.0.0.255)
Output from sh ip access list 1
Standard IP access list 1
10 permit 192.168.100.0, wildcard bits 0.0.0.255 (2 matches)
20 permit 172.16.4.0, wildcard bits 0.0.3.255 (276 matches)
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: