Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router 831 Cannot resolve DNS names

Hello,

My workstation can resolve domain name, but my router cannot I receive the following:

Router#ping www.google.com

Translating "www.google.com"...domain server (8.8.8.8) (8.8.4.4) (75.75.76.76) (75.75.75.75)
% Unrecognized host or address, or protocol not running.

 

This is my router:

Router#sh run
Building configuration...

Current configuration : 4298 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.200 192.168.0.255
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 8.8.8.8 8.8.4.4
   lease 0 1
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name IPFW tcp
ip inspect name IPFW udp
ip inspect name IPFW cuseeme
ip inspect name IPFW ftp
ip inspect name IPFW tftp
ip inspect name IPFW rcmd
ip inspect name IPFW realaudio
ip inspect name IPFW smtp
ip inspect name IPFW h323
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
interface Ethernet0
 description LAN switch ports on inside interface
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 description WAN interface to ISP using DHCP
 ip ddns update hostname onlize.homeip.net
 ip ddns update dyndns
 ip address dhcp client-id Ethernet1
 ip access-group IPFW-ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect IPFW out
 ip virtual-reassembly
 duplex auto
 no cdp enable
!
interface Ethernet2
 no ip address
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 23 interface Ethernet1 overload
ip nat inside source list 100 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.5 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.0.5 32400 interface Ethernet1 32400
ip nat inside source static udp 192.168.0.5 32400 interface Ethernet1 32400
!
!
ip access-list extended IPFW-ACL
 remark NTP Server Access
 permit udp any any eq ntp
 permit icmp any any administratively-prohibited
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit tcp any any eq 3389
 permit tcp any any eq 32400
 permit udp any any eq 32400
 deny   ip any any
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
control-plane
!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
!
scheduler max-task-time 5000
ntp logging
ntp clock-period 17179872
ntp server 204.2.134.163
ntp server 173.8.148.157
ntp server 15.185.186.215
ntp server 64.6.144.6
ntp server 198.110.48.12
ntp server 208.75.89.4
ntp server 198.55.111.50
ntp server 72.43.42.21
end

Router#

If I remove "ip access-group IPFW-ACL in" from my WAN interface, everything works. What am I missing here? What else should I add to my firewall?

Thank you.

4 REPLIES
Green

Hi, Try adding the follwing

Hi,

 

Try adding the follwing line to your access list

 permit udp any any eq domain
 permit tcp any any eq domain

Hope this helps.

Regards

Alex

 

Regards, Alex. Please rate useful posts.
New Member

Thank you for your reply. I

Thank you for your reply. I tried it, but it does not work.

Any other ideas?

Hello

Hello

ip access-list extended IPFW-ACL
12 permit UDP any any eq 53

Interface ethernet1
No ip inspect IPFW out

access-list 101 permit 192.168.0.0 0.0.0.255 any

Interface Ethernet 0
Ip access-group 101 in
ip inspect IPFW in

Res
Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Thank you for your reply

Thank you for your reply.

Interesting suggestion, but it means that I will protect internal interface, but external interface will not be protected. I do not think it is such a good idea.

Any other suggestions?

By the way, what is that number 12 in front of permit UDP? Can you please explain?

Thank you.

102
Views
0
Helpful
4
Replies
CreatePlease login to create content