01-07-2014 11:05 PM - edited 03-04-2019 10:00 PM
Hi Guys,
I've been struggling with this one for a few days now - I'm sure its something simply that I've overlooked but for the life of me I can't see it, so I'm hoping a fresh set of eyes might do the trick.
Situation
=======
Cisco 887W Router (IOS v15)
Static IP on External Interface - Dialer0
Several Security Zones set up on Internat Interfaces
Cisco Zone-Based-Firewall in operation
Nat in operation
Internal DNS Server (DMZ) being served to External Clients
Internal WWW Server (DMZ) being served to External Clients
Issue
====
Everything is working perfectly - Firewall, NAT, Internal DNS, etc, EXCEPT when quering the DNS Server from outside the Network a "Timeout waiting for response" message is received (via the Trace DNS Delegation website at www.simpledns.com/lookup-dg.aspx).
Relevant Config Entries
==================
ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53
ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53
zone security OUTSIDE
zone security DMZ
zone-pair security OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS
policy-map type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS
class type inspect CLASSMAP_ACCESS_TO_DMZ_SERVERS
inspect
class class-default
drop
class-map type inspect match-all CLASSMAP_ACCESS_TO_DMZ_SERVERS
match access-group name ACCESS_TO_DNS_SERVERS
ip access-list extended ACCESS_TO_DNS_SERVERS
permit udp any host 192.168.1.2 eq domain
permit tcp any host 192.168.1.2 eq domain
Any help greatly appeciated - thanks
01-08-2014 12:33 AM
Hi,
Your config is correct, does the DNS server have a correct route back ?
Regards
Alain
Don't forget to rate helpful posts.
01-08-2014 02:47 AM
Hello
Try using Match-Any statement instead of a Match-All for the ZBFW class map related to you extended ACL.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-08-2014 03:28 AM
Hi Paul,
there is only 1 match statement so match-all or match-any will do the same.
Regards
Alain
Don't forget to rate helpful posts.
01-08-2014 03:35 AM
Hello
Yes you are correct - Apologies I was thinking of the acl and looking the class-map should have been just the class-map only.
Just for bevrevity can you clear you zone counters and test again and show the output from the zone policy
clear zone-pair counter
sh policy-map type inspect zone-pair sessions
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-10-2014 12:46 AM
Hi Paul,
Relevant Zone Policy Output Below:
policy exists on zp OUTSIDE_TO_DMZ
Zone-pair: OUTSIDE_TO_DMZ
Service-policy inspect : POLICYMAP_ACCESS_TO_DMZ_SERVERS
Class-map: CLASSMAP_ACCESS_TO_DMZ_SERVERS (match-all)
Match: access-group name ACCESS_TO_DNS_SERVERS
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
On a further note, we know the Access-List is matching because we can see its Match-Count go up.
So, the plot thickens - thanks guys
01-10-2014 01:35 AM
Hi,
You didn't reply to my request? Are you sure the DNS server has got the correct route to reply ?
Can you sniff on the DNS server and use the packet capture feature on the router to capture on both interfaces and post us all these pcap files.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide