Welcome to Cisco Support Community. We would love to have your feedback.
I've been trying to crack this one for a while but I can't see the wood for the trees. This router feeds a Sonicwall security device at 192.168.0.180 on the inside and performs ADSL2+ on the outside. I can do domain lookups on the internal lan (the other side of the Sonicwall) but I cant do dns lookups directly from the router. I guess it's not a biggie but annoying just the same. Any ideas please?
Current config below mostly generated by SDM:-
Using 11689 out of 131072 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname cordy ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 51200 warnings logging console critical no logging monitor enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX enable password 7 XXXXXXXXXXXXXXXXXX ! aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local ! ! aaa session-id common clock timezone Napier 12 clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00 ! crypto pki trustpoint TP-self-signed-XXXXXXXXXXX enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXX revocation-check none rsakeypair TP-self-signed-XXXXXXXXXXXXX ! ! crypto pki certificate chain TP-self-signed-1036798690 certificate self-signed 01 nvram:IOS-Self-Sig#4.cer dot11 syslog dot11 activity-timeout client default 1800 dot11 activity-timeout repeater default 28800 dot11 activity-timeout workgroup-bridge default 28800 dot11 activity-timeout bridge default 28800 ! dot11 ssid XXXXXXXXXXXX authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX information-element ssidl advertisement ! dot11 arp-cache no ip source-route ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.99 ip dhcp excluded-address 192.168.0.140 192.168.0.254 ! ip dhcp pool pool1 import all network 192.168.0.0 255.255.255.0 domain-name home default-router 192.168.0.254 netbios-name-server 192.168.0.180 dns-server 18.104.22.168 22.214.171.124 ! ! ip cef no ip bootp server ip domain list home ip domain name home ip name-server 126.96.36.199 ip name-server 188.8.131.52 ip port-map user-vuze-tcp port tcp 56881 list 1 description Vuze on willow (tcp) ip port-map user-vuze-udp port tcp 56881 list 2 description Vuze on willow (udp) ip ips notify SDEE ip ips name sdm_ips_rule_101 list 101 ip inspect name SDM_MEDIUM appfw SDM_MEDIUM ip inspect name SDM_MEDIUM cuseeme ip inspect name SDM_MEDIUM dns ip inspect name SDM_MEDIUM ftp ip inspect name SDM_MEDIUM h323 ip inspect name SDM_MEDIUM https ip inspect name SDM_MEDIUM icmp ip inspect name SDM_MEDIUM imap reset ip inspect name SDM_MEDIUM pop3 reset ip inspect name SDM_MEDIUM netshow ip inspect name SDM_MEDIUM rcmd ip inspect name SDM_MEDIUM realaudio ip inspect name SDM_MEDIUM rtsp ip inspect name SDM_MEDIUM esmtp ip inspect name SDM_MEDIUM sqlnet ip inspect name SDM_MEDIUM streamworks ip inspect name SDM_MEDIUM tcp ip inspect name SDM_MEDIUM udp ip inspect name SDM_MEDIUM vdolive ip inspect name SDM_MEDIUM user-vuze-udp ip inspect name SDM_MEDIUM user-vuze-tcp ip inspect name SDM_MEDIUM tftp ip inspect name SDM_MEDIUM ntp ip inspect name sdm_ins_in_100 appfw SDM_MEDIUM ip inspect name sdm_ins_in_100 cuseeme ip inspect name sdm_ins_in_100 dns ip inspect name sdm_ins_in_100 ftp ip inspect name sdm_ins_in_100 h323 ip inspect name sdm_ins_in_100 https ip inspect name sdm_ins_in_100 icmp ip inspect name sdm_ins_in_100 imap reset ip inspect name sdm_ins_in_100 pop3 reset ip inspect name sdm_ins_in_100 netshow ip inspect name sdm_ins_in_100 rcmd ip inspect name sdm_ins_in_100 realaudio ip inspect name sdm_ins_in_100 rtsp ip inspect name sdm_ins_in_100 esmtp ip inspect name sdm_ins_in_100 sqlnet ip inspect name sdm_ins_in_100 streamworks ip inspect name sdm_ins_in_100 tcp ip inspect name sdm_ins_in_100 udp ip inspect name sdm_ins_in_100 vdolive ip inspect name sdm_ins_in_100 user-vuze-udp ip inspect name sdm_ins_in_100 user-vuze-tcp ip inspect name sdm_ins_in_100 tftp no ipv6 cef ! appfw policy-name SDM_MEDIUM application im aol service default action allow alarm service text-chat action allow alarm server permit name login.oscar.aol.com server permit name toc.oscar.aol.com server permit name oam-d09a.blue.aol.com audit-trail on application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com audit-trail on application http strict-http action allow alarm port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action allow alarm application im yahoo service default action allow alarm service text-chat action allow alarm server permit name scs.msg.yahoo.com server permit name scsa.msg.yahoo.com server permit name scsb.msg.yahoo.com server permit name scsc.msg.yahoo.com server permit name scsd.msg.yahoo.com server permit name cs16.msg.dcn.yahoo.com server permit name cs19.msg.dcn.yahoo.com server permit name cs42.msg.dcn.yahoo.com server permit name cs53.msg.dcn.yahoo.com server permit name cs54.msg.dcn.yahoo.com server permit name ads1.vip.scd.yahoo.com server permit name radio1.launch.vip.dal.yahoo.com server permit name in1.msg.vip.re2.yahoo.com server permit name data1.my.vip.sc5.yahoo.com server permit name address1.pim.vip.mud.yahoo.com server permit name edit.messenger.yahoo.com server permit name messenger.yahoo.com server permit name http.pager.yahoo.com server permit name privacy.yahoo.com server permit name csa.yahoo.com server permit name csb.yahoo.com server permit name csc.yahoo.com audit-trail on ! multilink bundle-name authenticated ! parameter-map type inspect global ! ! username steve privilege 15 view root password 7 XXXXXXXXXXXXXXXXXXXXXXXXX username root privilege 15 view root password 7 XXXXXXXXXXXXXXXXXXXXXXXX ! ! ! archive log config hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ! class-map match-any sdm_p2p_kazaa match protocol fasttrack match protocol kazaa2 class-map match-any sdm_p2p_edonkey match protocol edonkey class-map match-any sdm_p2p_gnutella match protocol gnutella class-map match-any sdm_p2p_bittorrent match protocol bittorrent ! ! policy-map sdmappfwp2p_SDM_MEDIUM class sdm_p2p_gnutella class sdm_p2p_bittorrent class sdm_p2p_edonkey class sdm_p2p_kazaa ! ! bridge irb ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive ! interface ATM0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pvc 0/100 encapsulation aal5snap protocol ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address shutdown ! encryption mode ciphers aes-ccm ! ssid XXXXXXXXXXXX ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2462 station-role root rts threshold 2312 rts retries 32 bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat outside ip ips sdm_ips_rule_101 in ip inspect SDM_MEDIUM out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username email@example.com password 7 XXXXXXXXXXXXXX service-policy input sdmappfwp2p_SDM_MEDIUM service-policy output sdmappfwp2p_SDM_MEDIUM ! interface BVI1 description $FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip accounting output-packets ip flow ingress ip nat inside ip inspect sdm_ins_in_100 in ip virtual-reassembly service-policy input sdmappfwp2p_SDM_MEDIUM service-policy output sdmappfwp2p_SDM_MEDIUM ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.0.180 ip route 192.168.2.0 255.255.255.0 192.168.0.180 ip route 192.168.3.0 255.255.255.0 192.168.0.180 ip route 192.168.15.0 255.255.255.0 192.168.0.180 ip http server ip http access-class 2 ip http authentication local ip http secure-server ! ip flow-export source FastEthernet0 ip flow-export version 9 ip flow-export template timeout-rate 1 ip flow-export destination 192.168.0.180 2055 ip flow-top-talkers top 20 sort-by bytes ! ip nat inside source list 1 interface Dialer0 overload ip nat inside source list 3 interface Dialer0 overload ip nat inside source static tcp 192.168.0.180 56881 interface Dialer0 56881 ip nat inside source static udp 192.168.0.180 56881 interface Dialer0 56881 ip nat inside source static 192.168.0.180 interface Dialer0 ip ospf name-lookup ! logging trap warnings logging facility user logging 192.168.0.180 access-list 1 remark SDM_ACL Category=1 access-list 1 permit 192.168.0.180 access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.180 access-list 3 remark SDM_ACL Category=2 access-list 3 permit 192.168.15.0 0.0.0.255 access-list 3 permit 192.168.1.0 0.0.0.255 access-list 3 permit 192.168.2.0 0.0.0.255 access-list 3 permit 192.168.3.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp host 184.108.40.206 eq domain any access-list 101 permit udp host 220.127.116.11 eq domain any access-list 101 remark Vuze willow access-list 101 permit tcp any any eq 56881 log access-list 101 remark Vuze willow access-list 101 permit udp any any eq 56881 log access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! ! ! ! snmp-server community public RO snmp-server community XXXXXXXXXX RW ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CYou require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now. If you fail to disconnect you may be prosecuted under the Crimes Amendment Act 2003 section 252 under New Zealand law. ^C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 1 in privilege level 15 authorization exec local_author login authentication local_authen transport preferred ssh transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
you're doing CBAC and by default CBAC doesn't inspect traffic generated by the router.
Can you try this:
ip inspect name SDM_MEDIUM udp router-traffic
and add following: ip inspect log drop-pkt in global config
Thans for that but I just tried your suggestions and still no luck I'm afraid.
Translating "www.google.com"...domain server (18.104.22.168) (22.214.171.124)
% Unrecognized host or address, or protocol not running.
These name server addresses are correct and work from the LAN but I can't even ping them from the router.
So you didn't see any log ? how are you connected to the router ?
Can you do a packet capture on the router either using RITE or EPC while you do your dns lookup and post it here.
Here are the links for these 2 technologies:
You could also try a debug ip inspect event and a debug ip packet detail 199 where 199 is an ACL only permitting DNS queries and replies
While I come to grips with the two techniques you have suggested I managed to get syslog working ok so set debug ip udp and did a ping www.google.com with these results:-
Jan 18 08:03:34 cordy 625: 001362: *Oct 20 15:01:49.476 Napier: UDP: Random loca
l port generated 62866, network 1
Jan 18 08:03:34 cordy 626: 001363: *Oct 20 15:01:49.476 Napier: Reserved port 62
866 in Transport Port Agent for UDP IP type 1
Jan 18 08:03:34 cordy 627: 001364: *Oct 20 15:01:49.480 Napier: UDP: sent src=126.96.36.199(62866), dst=188.8.131.52(53), length=40
Jan 18 08:03:36 cordy 628: 001365: *Oct 20 15:01:51.413 Napier: %SEC-6-IPACCESSLOGP: list 101 denied udp 184.108.40.206(123) -> 220.127.116.11(44447), 1 packet
Which looks like it it sends the DNS request but denies the reply back from the DNS server. There are rules in list 101 that seem to permit the target DNS servers:-
access-list 101 permit udp host 18.104.22.168 eq domain any
access-list 101 permit udp host 22.214.171.124 eq domain any
but the reply is coming back from a completely different server??? Maybe I should just change those access-list 101 to any eq domain any. I'll give that a go now.
denied udp 126.96.36.199(123) this is NTP not DNS.
I also tried a name lookup with this dns server: 188.8.131.52 and it timed out so I think the problem is with this server, I'll capture the packet or do a dig to further investigate.
Duh! silly me.
I do know that these two name servers work fine and I guess my ISP may be filtering them from access by anyone outside their address space. Anyway, I gave up rethought my approach an dug out a previous config which I know was working but for a simpler setup and hand crafted some changes to that. Once loaded, it all works fine now. The one I was trying to make work was havily configed by SDM and this seems to have prevented traffic to/from the internal router itself while still allowing LAN to WAN to work. I've done a diff on the two configs but there are so many changes it's hard to see the wood for the trees as the original one was basically hand made.
Thanks for your help with this and I'm sorry we could not find the original problem but I'll spend more time on it when I get that precious commodity