Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 837 won't resove DNS - config attached

Hi, I have a this config attached, for some reason I can resolve DNS of web sites etc. If I put the IP of the website in it works, I'm sure it's something to do with access-list 101. Hope you can advise.

Also MSN wont work.

If I add access-list 101 permit ip any any

all works, but makes everything un-secure?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.

HTH

Rick

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:

list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.

HTH

Rick

37 REPLIES
Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I am not clear whether the problem that you describe is that the router itself can not resolve DNS or that hosts in the LAN connected to the router can not resolve DNS. So let me address both possible issues and you can tell us if either one seems to address your issue.

- router can not resolve DNS. This one is actually pretty simple because I do not see anything in the router config that identifies a DNS server for the router to use. If you want the router to resolve DNS than you need to configure a DNS server that it should access.

- hosts on the LAN can not resolve DNS. I note that the DHCP parameters configured will give the host dns-server 192.168.2.100. But that is the address of the router interface. A router is not a very effective DNS server - especially when the router is not configured with any DNS server to use itself. The best solution is to change the DHCP parameter and identify some real DNS server.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Thanks, does it make sense why adding access-list 101 ip any any fixes the issue?

Should I add ip name-server to the router or add dns-server to the DHCP scope?

Also in basic what does ip inspect do as a job?

Thanks

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I am a bit surprised that adding permit ip any any to access list 101 fixes the issue. Access list 101 works in conjunction with ip inspect. ip inspect looks at outbound traffic and dynamically creates entries in the inbound access list to permit responses to come in that are responses to traffic initiated outbound from hosts on the inside. Since there is an inspect for DNS then DNS responses should get through. I suspect that there is something that the hosts need which is not provided by the inspect. Since access list 101 does have a deny ip any any at the bottom of the list and since that command includes the log parameter it should be possible to look in the logs and find what is being denied that is needed.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Thanks, ah so the ip inspect opens ports as and when they are needed on the outbound? Is the 101 list opening the inbound ports then?

How do I see the log then that might help see what's going on?

Many thanks

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi whiteford,

can you ping the DNS ip from the router itself? If yes, its a NAT issue. I had a similar problem wherein I could ping DNS from router but couldnt ping DNS from clients. I resolved by enabling NAT through SDM

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi Sunjiiv74, do you have a sample config at hand for my to look at?

thanks

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

There are several possibilities of how to see the log which could help see what is going on. If you telnet or SSH to the router then you could do terminal monitor and the log messages should be sent to your telnet or SSH session. Log messages are also sent to the logging buffer. I see in the config that you set the logging buffer to the level of warning which does not show those log messages since the output of ACL processing is level 6. So if you change your config to this:

logging buffered 8192 info

then you should be able to see the log messages by doing show log.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

I'll try that Rick. So how does the Inspect polict work? I see all the ports in the inspect list are the only ones allowed outbound in dialer list 1, if any aren't on there will a user not be able to use that port?

How does access-list 101 work with the inspect list? will a user go outbound say on https (if the inspect rule allow it) and then if access-list 101 allows https back through dialer 1 then the page will be displayed?

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I am a bit puzzled about your comment about the ports specified by inspect and the dialer list. In the config that I am looking at the dialer list permits any IP packet.

Perhaps it would help to start with the observation that inspect is a way of implementing a firewall strategy. Basically the way that inspect works is that you configure inspect to look for certain types of traffic which you want to enable. You configure inspect on the outbound interface. You also configure an access list inbound on that interface (and in that access list you may configure some types of traffic - especially anything that you want to allow in when it is originated from outside). Then inspect looks at the outbound traffic. When it sees outbound traffic that matches what it is looking for it dynamically creates entries in the inbound access list to permit that traffic responses through the inbound access list. This is more precise than the inbound access list could do on its own because in addition to the protocol port numbers it knows the source and destination addresses. The dynamic entries will dynamically be removed from the inbound access list when the traffic stops.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi Rick, its becoming more clearer now, just one thing I don't see http in the inspect list, would that mean a dynamic rule would not be created and stopping a webpage being displayed? Or does http come under something else, I just can't see a rule for http outbound access.

Thanks for your time, ü will add the logging later and let you know what the output is.

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I believe that there are 2 lines in the inspect configuration that help answer this:

ip inspect name SDM_LOW https

ip inspect name SDM_LOW tcp

I believe that the statement for tcp would cover regular http (as compared to https).

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Damn thought I had something! I guess logging it is.

For best practice do you think my routers internet dns is right, I see there is an ip name-server option for the router to use.

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

It does seem kind of logical to assume that since there is an inspect for HTTP that if you do not inspect HTTP then it might not be permitted. But as I read about the inspect process I find that inspect http is there to allow you to do filtering on java and that normal http traffic is generally processed by the inspect tcp.

I note that the config has no ip cef configured and wonder if there is a reason for that? I wondered if that might impact the inspect process but I did find a reference that says that inspect works with process switched traffic. I am afraid that my suggestion at this point is to enable logging on the ACL deny statements and try to find what is being denied that is critical.

As for the question about name-server, that is what I am most used to seeing and using on the router. But the more that I look at this config the more that I think what you are doing with ppp ipcp dns request may fit your situation.

HTH

Rick

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

Now that I have answered that I have come up with a new theory about the problem. You have configured the router to act as the DNS server for the inside hosts. And there is no existing rule in access list 101 to permit inbound DNS. For inside hosts the inspect udp should permit their DNS traffic. But their DNS request would go to the router. And inspect examines traffic going through the router but does not examine traffic for which the router is the source or the destination.

So my theory is that the router DNS requests are not being inspected and therefore there is no dynamic rule to permit responses to the router DNS request. You could check this either by changing the config of the DHCP and instead of specifying the router as the DNS put in a valid external DNS server address. Or you could check it by creating a permit in access list to permit inbound DNS.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi, I will get the log file tonight, I posted last night (UK time) but must of dreamed it!

I saw the log showing that access-list 101 was denying access when ever I tried to access a website or MSN though.

Should I also be using "IP name-servers" in the config? and get the DHCP scope to point to external DNS servers? I'm not sure what the best practise is for this?

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

What I am particularly interested in from the log is what specific traffic is being denied. In my previous response I proposed a theory that the problem is that inspect does not examine traffic where the router itself is the source or the destination. So inspect should not create a permit for the router DNS request. And if the hosts are using the router as their DNS server, then that would be the problem. Seeing the log file could help confirm this. Putting an explicit permit into access list 101 for DNS to the router would be one way to fix it (assuming that I am right) or changing your DHCP configuration so that you do not give the router address as the DNS server to clients would be another way to fix it.

So post the file or make one of these changes.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi, I will get this log for you. If I just add a couple of DNS servers to the users DHCPO scope will I have to do anything else, like remove anything or should that be enough, as you said about those DNS settings in the dialer interface? I will get the log first though as it will be nice to see what this could be.

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

If you add a couple of DNS servers to the DHCP scope I do not believe that you would have to do anything else (assuming that the configuration which specifies the router address as DNS server is overwritten in the process of configuring the DNS servers).

I agree that it would be nice to see the log and to see if it verifies my theory.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Rick,

Here it is, 80.92.129.253 is my outside address:

Nov 13 19:03:35.086: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.110.90(1863) -> 80.92.129.253(1043), 1 packet

Nov 13 19:03:40.314: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:03:51.444: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 80.92.129.253(53), 1 packet

Nov 13 19:04:08.240: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.22.108.100(6348) -> 80.92.129.253(35191), 1 packet

Nov 13 19:04:28.244: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.109.54(23048) -> 80.92.129.253(1026), 1 packet

Nov 13 19:04:52.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 199.106.212.28(80) -> 80.92.129.253(1087), 1 packet

Nov 13 19:10:20.183: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.192.113.155(1265) -> 80.92.129.253(445), 1 packet d

Nov 13 19:10:22.099: %SEC-6-IPACCESSLOGP: list 101 denied udp 172.201.128.131(8087) -> 80.92.129.253(35191), 1 packet

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

Thanks for posting the log output. I believe that it does confirm my theory of what is causing the problem: the client sends a DNS request to the router, the router sends a DNS request to the servers it leaned from the provider, and ACL 101 is denying the response coming to the router. And the reason that things work when you change ACL 101 to permit ip any any is that it then permits the router DNS, but as you comment it reduces the degree of security.

I believe that you can solve this immediate issue by putting a statement into ACL 101 to permit DNS responses to the router. Be aware that since the router is negotiating its address that the address might change over time.

I believe that you could also fix this immediate issue by changing your DHCP scope and putting some real DNS server into the scope rather than using the router address as the DNS server for the clients.

There may also be some issue that you need to look at concerning the other traffic to the router address that is being denied. Perhaps you can identify what this other traffic is and whether you needs permits in ACL 101 for other router traffic as well as DNS.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi, everything I have tried seems to work now I have amended the DHCP scope's DNS servers to 3 external ones.

I do get these pop up when I'm not doing anything, If I run an nslookup against them they seem to be from my ISP I think.

Nov 13 20:55:38.861: %SEC-6-IPACCESSLOGP: list 101 denied tcp 90.198.54.60(2529) -> 90.198.235.164(135), 1 packet

Nov 13 20:55:54.881: %SEC-6-IPACCESSLOGP: list 101 denied udp 24.64.94.244(4028) -> 90.198.235.164(1026), 1 packet

H0m3#

Nov 13 20:56:55.416: %SEC-6-IPACCESSLOGP: list 101 denied udp 90.207.238.97(53) -> 90.198.235.164(56311), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.86.189.16(53) -> 90.198.235.164(50746), 2 packets

Nov 13 20:57:55.423: %SEC-6-IPACCESSLOGP: list 101 denied tcp 207.46.109.91(1863) -> 90.198.235.164(1676), 12 packets

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

The only part the concerns me is when I try and use my Cisco VPN client to my works concentrator on 1.2.3.4 it connects but I can't access anything or ping anything at work:

Nov 13 21:18:55.439: %SEC-6-IPACCESSLOGNP: list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

Do I need some gre rule or something?

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:

list 101 denied 50 1.2.3.4 -> 90.198.235.164, 109 packets

note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

I will try this and let you know, and I will rate the post as its been so useful.

New Member

Re: Cisco 837 won't resove DNS - config attached

Hi, should telnet work from a remote Internet host on this config? I have added, but can't gain access from another location via telnet, I wouldn't mind the SDM too, I haven't got a static address, so will try to use DDNS at some point again as I tried and failed at that :):

access-list 50 permit 4.3.2.1

line vty 0 4

access-class 50 in

privilege level 15

login local

transport input telnet

transport output all

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

I would not expect telnet from an Internet host to work with the existing config. Putting an entry into access list 50 to permit remote access from the host is an important part of enabling access but is not enough. You also need an entry in access list 101 to permit the inbound telnet. And if you want to use SDM then you would need permit statements for that also.

If you are going to be doing remote access from an Internet host it might be good to think about using SSH rather than telnet. SSH provides similar functions as telnet and is much more secure.

HTH

Rick

New Member

Re: Cisco 837 won't resove DNS - config attached

Thanks, is SSH easy to configure?

Hall of Fame Super Silver

Re: Cisco 837 won't resove DNS - config attached

Andy

Yes SSH is easy to configure. You do need to verify that the feature set of the code that you are running will support SSH (that it supports encryption). You will need to generate RSA keys (and generation of RSA keys needs to have a unique host name and a domain name - the config that you posted looks like it has the host name blanked out and I do not see a domain name). If you are running fairly recent code you probably want to configure to specify SSH version 2. I see that you already have the vty lines configured with transport input telnet ssh so they should be good to go with SSH.

HTH

Rick

558
Views
0
Helpful
37
Replies