Internal DNS, NAT & Firewall Issue (I think)

CSCO10174474 · ‎01-07-2014

Hi Guys,

I've been struggling with this one for a few days now - I'm sure its something simply that I've overlooked but for the life of me I can't see it, so I'm hoping a fresh set of eyes might do the trick.

Situation

=======

Cisco 887W Router (IOS v15)

Static IP on External Interface - Dialer0

Several Security Zones set up on Internat Interfaces

Cisco Zone-Based-Firewall in operation

Nat in operation

Internal DNS Server (DMZ) being served to External Clients

Internal WWW Server (DMZ) being served to External Clients

Issue

====

Everything is working perfectly - Firewall, NAT, Internal DNS, etc, EXCEPT when quering the DNS Server from outside the Network a "Timeout waiting for response" message is received (via the Trace DNS Delegation website at www.simpledns.com/lookup-dg.aspx).

Relevant Config Entries

==================

ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53

ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53

zone security OUTSIDE

zone security DMZ

zone-pair security OUTSIDE_TO_DMZ source OUTSIDE destination DMZ

service-policy type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS

policy-map type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS

class type inspect CLASSMAP_ACCESS_TO_DMZ_SERVERS

inspect

class class-default

drop

class-map type inspect match-all CLASSMAP_ACCESS_TO_DMZ_SERVERS

match access-group name ACCESS_TO_DNS_SERVERS

ip access-list extended ACCESS_TO_DNS_SERVERS

permit udp any host 192.168.1.2 eq domain

permit tcp any host 192.168.1.2 eq domain

Any help greatly appeciated - thanks

cadet alain · ‎01-08-2014

Hi,

Your config is correct, does the DNS server have a correct route back ?

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎01-08-2014

Hello

Try using Match-Any statement instead of a Match-All for the ZBFW class map related to you extended ACL.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cadet alain · ‎01-08-2014

Hi Paul,

there is only 1 match statement so match-all or match-any will do the same.

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎01-08-2014

Hello

Yes you are correct - Apologies I was thinking of the acl and looking the class-map should have been just the class-map only.

CSCO10174474

Just for bevrevity can you clear you zone counters and test again and show the output from the zone policy

clear zone-pair counter

sh policy-map type inspect zone-pair sessions

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CSCO10174474 · ‎01-10-2014

Hi Paul,

Relevant Zone Policy Output Below:

policy exists on zp OUTSIDE_TO_DMZ

Zone-pair: OUTSIDE_TO_DMZ

Service-policy inspect : POLICYMAP_ACCESS_TO_DMZ_SERVERS

Class-map: CLASSMAP_ACCESS_TO_DMZ_SERVERS (match-all)

Match: access-group name ACCESS_TO_DNS_SERVERS

Inspect

Class-map: class-default (match-any)

Match: any

Drop

0 packets, 0 bytes

On a further note, we know the Access-List is matching because we can see its Match-Count go up.

So, the plot thickens - thanks guys

cadet alain · ‎01-10-2014

Hi,

You didn't reply to my request? Are you sure the DNS server has got the correct route to reply ?

Can you sniff on the DNS server and use the packet capture feature on the router to capture on both interfaces and post us all these pcap files.

Regards

Alain

Don't forget to rate helpful posts.