Hi Peter, Thank you for your reply

It does appear that the ALG option is not present see below:-

Rtr(config)#no ip nat service ?
  H225                         H323-H225  protocol
  allow-h323-even-rtp-ports    Allow even RTP ports for H323
  allow-h323-keepalive         Allow H323 KeepAlive
  allow-sip-even-rtp-ports     Allow even RTP ports for SIP
  allow-skinny-even-rtp-ports  Allow even RTP ports for Skinny
  append-ldap-search-res       Append ldap search result
  dns-reset-ttl                Reset dns cname ttl value
  fullrange                    allocate all available port of 1 to 65535
  list                         Specify access list describing global addresses
  ras                          H323-RAS protocol
  sip                          SIP protocol
  skinny                       skinny protocol

Rtr(config)#no ip nat service

Amy thoughts?

Alan,

I am not sure if I can help here. I was wondering if perhaps you could try to use the following command:

no ip port-map

I am not sure if this helps, though, as I do not know if this NBAR-related command also influences DNS ALG engine in NAT. In addition, if you are using any match protocol dns in your class-map constructs, this would stop them recognizing DNS traffic.

Otherwise, though, I am not sure if we can stop the DNS ALG in your IOS. Why are you actually trying to stop it? Are you using any internal servers whose IP addresses get translated to public IPs in DNS responses?

Best regards,

Peter

Hi Peter,

just a little remark: ip port-map is used by CBAC and ZBF,for NBAR the command is ip nbar port-map instead.

Can we do a match protocol in a route-map for NAT, have you ever done it before ?

Regards

Alain

Don't forget to rate helpful posts.

Hi Alain,

Good catch! To be honest, I was confusing those commands... thanks for clearing that up.

Can we do a match protocol in a route-map for NAT, have you ever done it before ?

I do not think we can. In all "maps" I know of, the only match protocol type of matching is in a class-map, and this class-map is then referred to by a policy-map. I do not believe I have seen any match rule in route-maps that could refer to a class-map or a policy-map.

What is your idea here, anyway?

Best regards,

Peter

Hi Peter,

I was thinking that it was impossible too and so I was asking myself how changing the port-mapping could solve the problem and that's why I asked you about it.

Regards

Alain

Don't forget to rate helpful posts.

Hi Alain,

Oh, I get you now. My idea was that perhaps the DNS ALG used by NAT internally uses NBAR to recognize specific types of traffic - just a hypothesis... and preventing NBAR from recognizing the DNS traffic on port 53 would in effect deactivate the DNS ALG. As I said - it was just a hypothesis.

Still, it would be nice if Alan could test whether no ip port-map or no ip nbar port-map works for him!

Best regards,

Peter

Hi Peter, Alain

Thanks for input I will give those suggstions a test later today and report back.

Regards,

Ok I have tried no ip port-map dns but this does not disable DNS rewriting. When I try no ip nbar it appears that option is not supported.

My reason for doing this is that I am having a look at Outlool anywhere and wanted to disable rewriting to eliminate that variable from my testing.

Regards.

Alan,

I am still wondering... Can you post your complete NAT configuration?

Best regards,

Peter

Hi Peter you are some determined man!! :-)

NAT config:-

ip nat inside source list DMZ_Clients interface Dialer1 overload

ip nat inside source list Inside_Clients_NAT interface Dialer1 overload

ip nat inside source static 192.168.253.10 one_of_my_external_IPs

The 4 port router is divided into two VLANs each a member of a bridge group with separate beacons.

The inside_clients are on a 192.168.253.0/24 net

The DMZ_clients (other VLAN) are on public IP subnet using IP addresses that are not actually mine !!! (this is a historical not to say hysterical hang over from an earlier config - it could be changed but as far as I can see should have no affect)

The Dialer1 address is a dynamically acquired (but fixed) IP from the ISP.

Is that enough info?

Regards

Alan,

I am not sure if I'm determined or stubborn... and it probably won't do much good anyway but I do not want to miss anything.

The ip nat inside source static command should have the option of using no-payload at its very end. Does your IOS give you that option? Would it help in your case?

How exactly do the DNS contents get rewritten, i.e. what exact two addresses get exchanged? I am trying to understand what information actually does the IOS use to rewrite the DNS payloads, as apart from the static mapping you have, the IOS does not seem to have enough information which addresses to rewrite and how.

Best regards,

Peter

Peter, Once again thanks. I will try and make a resume at this point.

As per your early remark the no-payload option is available on the static nat and indeed works by disabling DNS rerwriting.

However I have been working on a client using the dynamic nat, this is where I have been testing the Outlook Anywhere functionality.

It's looking that I can only disable the rewriting on the static NATs as per your no-payload observation.

Unless you have any other suggestion I suggest that I mark this thread closed and will allocate 'correct answer' to your most recent post.

Regards,

Hi Alan,

Sadly, no more suggestions at this point, apart from upgrading your IOS to a version that supports the ip nat service alg commands.

I am thankful for your generosity but as we haven't really solved the problem, I don't think any of my answers deserves a "correct answer" grading.

Best regards,

Peter