Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dns transfer zone behind cisco soho 871

Dear everyone,

i have a router cisco 871 configured with nat and access list for filtering the internet traffic. I have published a windows 2003 dns server on public ip fixed without filter of accesslist. When i try to transfer the dns zone to another external server the process fail. I try to scan the dns port of server published: TCP port 53 responding, but no UDP port 53. Why?

2 REPLIES
Hall of Fame Super Silver

Re: Dns transfer zone behind cisco soho 871

Luca

Perhaps if you post the configuration of the 871 we might identify the reason that UDP port 53 is not responding. The things that I would look for first would be possible issues with the access list or possible issues in address translation. But there might be other causes of the problem.

HTH

Rick

New Member

Re: Dns transfer zone behind cisco soho 871

Sure you are right!

For security i mask some part of configuration...if it is not clear please ask me clarifications

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

!

hostname c871lepida

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

!

!

dot11 syslog

ip gratuitous-arps

ip cef

!

!

ip domain name xxx

ip name-server 193.43.2.1

no vlan accounting input

!

!

!

username admin privilege 15 secret 5 xxx

!

!

archive

log config

logging enable

hidekeys

!

!

ip finger

ip tcp synwait-time 10

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface FastEthernet4

description Connessa a LEPIDA-WAN

ip address 195x.x.66 255.255.255.224

ip access-group Accessi_da_Internet in

ip mask-reply

ip directed-broadcast

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description Connessa a Comune di Lugo-LAN

ip address 172.x.x.10 255.255.240.0

ip mask-reply

ip directed-broadcast

ip nat inside

no ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.x.x.65

ip route 172.x.x.0 255.255.240.0 172.x.x.25

ip route 192.x.x.0 255.255.255.0 172.x.x.48

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation timeout 900

ip nat pool rer 195.x.x.66 195.x.x.66 netmask 255.255.255.224

ip nat inside source list 110 pool rer overload

ip nat inside source static 172.x.x.54 195.x.x.67 route-map ROUTE-VPN extendable (MY DNS SERVER)

!

ip access-list extended Accessi_da_Internet

remark Permette l'accesso al server applicativo di Iride dalle due sottoreti di CEDAF

permit tcp 77.x.x.32 0.0.0.31 host 195.x.x.70 eq 13389

permit tcp 89.x.x.144 0.0.0.15 host 195.x.x.70 eq 13389

deny tcp any host 195.x.x.70 eq 13389

remark Permette l'accesso al server applicativo di Sosia dall'IP di Softech

permit tcp host 88.x.x.253 host 195.x.x.70 eq 23389

deny tcp any host 195.x.x.70 eq 23389

remark Permette l'accesso al server License da 3Cime

permit tcp host 89.x.x.50 host 195.x.x.70 eq 33389

deny tcp any host 195.x.x.70 eq 33389

remark Permette l'accesso al server Videosorveglianza

permit tcp host 82.x.x.112 host 195.x.x.94 eq 3389

permit tcp 62.x.x.0 0.0.0.255 host 195.x.x.94 eq 3389

deny tcp any host 195.x.x.94 eq 3389

permit ip any any

ip access-list extended VPN

remark Gli accessi dalla VPN dei Comuni devono bypassare le NAT statiche

deny ip 172.x.x.0 0.0.15.255 172.x.x.0 0.0.0.255

deny ip 172.x.x.0 0.0.15.255 192.x.x.0 0.0.255.255

permit ip 172.x.x.0 0.0.15.255 any

remark Gli accessi dalla VPN dei Comuni devono bypassare le NAT statiche

!

logging trap debugging

logging 172.x.x.14

access-list 110 remark Regola per query DNS esterne (a www1.comune.lugo.ra.it)

access-list 110 permit udp host 172.16.16.54 any range 0 65535

access-list 110 deny udp any any range 0 65535

access-list 110 remark Regole per la VPN

access-list 110 deny ip host 172.x.x.15 any

access-list 110 deny ip 172.x.x.0 0.0.15.255 172.x.x.0 0.0.0.255

access-list 110 permit ip 192.x.x.0 0.0.0.255 any

access-list 110 deny ip 172.x.x.0 0.0.15.255 192.x.x.0 0.0.255.255

access-list 110 deny ip any any

no cdp run

!

!

route-map ROUTE-VPN permit 10

match ip address VPN

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

212
Views
0
Helpful
2
Replies
CreatePlease to create content