Re: DNS server behind Cisco 827H

nattie · ‎10-16-2002

How do I configure this router to resolve DNS names of my internal network for users on the internet? I have a W2K DNS server in the internal network. (ip nr 10.0.0.1, router has 10.0.0.254)

When I open port 53 it won't work even with PAT.

Thanks

alexis.fidalgo · ‎10-16-2002

Im not shure about the question, but, here are my interpretations

1- If you need that the router use the dns inside your LAN, in the router you need to config the following

ip domain-lookup

ip name-server 10.0.0.1

2-If you need the dns resolve the LAN addresses , accesed from internet, you need to configure the DNS registers with the public IP address of the servers, and then you may configure static nat between the private/public IP of the servers. This is called DNS Doctoring.

Example: suppose web server in 10.0.0.2 , smtp in 10.0.0.3 and the public pool is 200.1.2.1-200.1.2.5

First you need to configure the dns server with the public addreses like

A dns 200.1.1.1

A smtp 200.1.2.2

A www 200.1.2.3

then, you need to configure nat in the router

ip nat inside source static 10.0.0.2 200.1.2.2

ip nat inside source static 10.0.0.3 200.1.2.3

then apply the nat statements

in the wan interface:

ip nat outside

in the lan interface:

ip nat inside

if anybody ask from Inet to the dns, it will resolve with the configured public entries. If anybody from inside the lan, ask to the inside dns server, it will answer with the public configured entry , but here is where DNS Doctoring, will translate the public to private addresses like theyre configured in the nat statement, so the internal hosts can comunicate within the internal servers in private addressing.

I hope it help you. I've tested this several times and it works great!

(In the pix it can be achieved with the alias command (with pix soft > 6))

--

Alexis Fidalgo

Systems Engineer

AT&T Argentina

nattie · ‎10-17-2002

Dear Alexis,

Thanks for the quick response! I tried it but this still does not work.

I will explain it.

Schematically it looks like this:

Internet <---> (213.xxx.xxx.xxx) Cisco827H (10.0.0.254) <---> (10.0.0.1) W2K server named sittard [DNS, routing and remote access, IIS etc.] (192.168.168.254) <----> (192.168.168.1) Mobile Information server

When I try to trace or ping or try to connect to sittard.jonkers.xs4all.nl with a laptop what is connected to the internet via RAS (dial-up analog modem)I get the responce of host unknown.

When I ping jonkers.xs4all.nl it replies with 213.xxx.xxx.xxx.

Every thing works except that users outside my network (internet) can not resolve the ip of my internal hosts.

The cisco configuration is shown below:

Current configuration : 2294 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

username Router password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ip subnet-zero

ip name-server 10.0.0.1

!

interface Ethernet0

ip address 10.0.0.254 255.0.0.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

no ip address

no cdp enable

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 7 094144584F5645

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static udp 10.0.0.1 53 interface Dialer1 53

ip nat inside source static tcp 10.0.0.1 53 interface Dialer1 53

ip nat inside source static udp 10.0.0.1 1723 interface Dialer1 1723

ip nat inside source static udp 10.0.0.1 1701 interface Dialer1 1701

ip nat inside source static tcp 10.0.0.1 25 interface Dialer1 25

ip nat inside source static tcp 10.0.0.1 110 interface Dialer1 110

ip nat inside source static tcp 10.0.0.1 21 interface Dialer1 21

ip nat inside source static tcp 10.0.0.1 80 interface Dialer1 80

ip nat inside source static tcp 10.0.0.1 3389 interface Dialer1 3389

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.168.0 255.255.255.0 10.0.0.1

ip http server

!

access-list 23 permit 10.0.0.0 0.255.255.255

access-list 101 permit tcp any any

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit ip 192.168.168.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

alexis.fidalgo · ‎10-17-2002

im trying and i cant connect to the server.

but, change this to test

access-list 10 deny host 10.0.0.1

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 10 permit 192.168.168.0 0.0.0.255

then remove all nat statements and then add

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static 10.0.0.1 interface Dialer1

and test it again please.

Let me know the results

nattie · ‎10-18-2002

Hi server is up and running now. I tried it what you suggested. I still cannot ping sittard.jonkers.xs4all.nl.

This is now the config:

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxx/

!

username Router password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ip subnet-zero

ip name-server 10.0.0.1

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

lease 0 2

!

interface Ethernet0

ip address 10.0.0.254 255.0.0.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

no ip address

no cdp enable

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxx password 7 xxxxxxxxx

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static 10.0.0.1 interface Dialer1

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.168.0 255.255.255.0 10.0.0.1

ip http server

!

access-list 10 deny 10.0.0.1

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 10 permit 192.168.168.0 0.0.0.255

access-list 23 permit 10.0.0.0 0.255.255.255

access-list 101 permit tcp any any

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit ip 192.168.168.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

ldove · ‎10-18-2002

Hi Nattie,

To me, this appears to be a DNS issue. To begin with as jonkers.xs4all.nl is

resolvable...

C:\>ping jonkers.xs4all.nl

Pinging jonkers.xs4all.nl [213.84.151.169] with 32 bytes of data:

Reply from 213.84.151.169: bytes=32 time=190ms TTL=114

Reply from 213.84.151.169: bytes=32 time=180ms TTL=114

Reply from 213.84.151.169: bytes=32 time=190ms TTL=114

Reply from 213.84.151.169: bytes=32 time=180ms TTL=114

Ping statistics for 213.84.151.169:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 180ms, Maximum = 190ms, Average = 185ms

sittard.jonkers.xs4all.nl is not resolvable at all...

C:\>ping sittard.jonkers.xs4all.nl

Unknown host sittard.jonkers.xs4all.nl.

Since both DNS names would be resolved from the parent DNS servers of...

xs4all.nl NS (Nameserver) ns.ripe.net

xs4all.nl NS (Nameserver) ns.xs4all.nl

xs4all.nl NS (Nameserver) ns2.xs4all.nl

There would need to be a entry for sittard.jonkers.xs4all.nl in the DNS servers as well. Appears that that host doesn't exist to the outside world, but it would inside the LAN due to the machine name being resolved. Or did I interprete your situation wrong?

nattie · ‎10-18-2002

Hi,

jonkers.xs4all.nl is known by xs4all.nl NS so if this DNS server does not know the host sittard, it will forward the request to jonkers.xs4all.nl.

Or is it not?

nattie · ‎10-18-2002

If I get Sniffer pro and monitor if there is any DNS traffic to the W2K DNS server there is none.

nattie · ‎10-20-2002

I have contacted my service provider about this. They say that sittard.jonkers.xs4all.nl has to have a record in there nameserver.

The nameserver knows the domain jonkers.xs4all.nl but not sittard.jonkers.xs4all.nl. So if I have a DNS for jonkers.xs4all.nl, this server has to resolve it on my server. Or is it not?

As I understand DNS, if the server does not know it he will forward it to the next which knows more.