Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internal DNS, NAT & Firewall Issue (I think)

Hi Guys,

I've been struggling with this one for a few days now - I'm sure its something simply that I've overlooked but for the life of me I can't see it, so I'm hoping a fresh set of eyes might do the trick.

Situation

=======

     Cisco 887W Router (IOS v15)

     Static IP on External Interface - Dialer0

     Several Security Zones set up on Internat Interfaces

     Cisco Zone-Based-Firewall in operation

     Nat in operation

     Internal DNS Server (DMZ) being served to External Clients

     Internal WWW Server (DMZ) being served to External Clients

Issue

====

     Everything is working perfectly - Firewall, NAT, Internal DNS, etc, EXCEPT when quering the DNS Server from outside the Network a "Timeout waiting for response" message is received (via the Trace DNS Delegation website at www.simpledns.com/lookup-dg.aspx).

Relevant Config Entries

==================

ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53

ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53

zone security OUTSIDE

zone security DMZ

zone-pair security OUTSIDE_TO_DMZ source OUTSIDE destination DMZ

     service-policy type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS

policy-map type inspect POLICYMAP_ACCESS_TO_DMZ_SERVERS

     class type inspect CLASSMAP_ACCESS_TO_DMZ_SERVERS

          inspect

     class class-default

          drop

class-map type inspect match-all CLASSMAP_ACCESS_TO_DMZ_SERVERS

     match access-group name ACCESS_TO_DNS_SERVERS

ip access-list extended ACCESS_TO_DNS_SERVERS

     permit udp any host 192.168.1.2 eq domain

     permit tcp any host 192.168.1.2 eq domain

Any help greatly appeciated - thanks

6 REPLIES
Purple

Internal DNS, NAT & Firewall Issue (I think)

Hi,

Your config is correct, does the DNS server have a correct route back ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Internal DNS, NAT & Firewall Issue (I think)

Hello

Try using Match-Any statement instead of a Match-All for the ZBFW class map related to you extended ACL.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
Purple

Internal DNS, NAT & Firewall Issue (I think)

Hi Paul,

there is only 1 match statement so match-all or match-any will do the same.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Internal DNS, NAT & Firewall Issue (I think)

Hello

Yes you are correct - Apologies I was thinking of the acl and looking the class-map should have been just the class-map only.

CSCO10174474

Just for bevrevity can you clear you zone counters and test again and show the output from the zone policy

clear zone-pair counter

sh policy-map type inspect zone-pair sessions

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: Internal DNS, NAT & Firewall Issue (I think)

Hi Paul,

Relevant Zone Policy Output Below:

policy exists on zp OUTSIDE_TO_DMZ

     Zone-pair: OUTSIDE_TO_DMZ

          Service-policy inspect : POLICYMAP_ACCESS_TO_DMZ_SERVERS

               Class-map: CLASSMAP_ACCESS_TO_DMZ_SERVERS (match-all)

                    Match: access-group name ACCESS_TO_DNS_SERVERS

          Inspect

               Class-map: class-default (match-any)

                    Match: any

                    Drop

                         0 packets, 0 bytes

On a further note, we know the Access-List is matching because we can see its Match-Count go up.

So, the plot thickens - thanks guys

Purple

Internal DNS, NAT & Firewall Issue (I think)

Hi,

You didn't reply to my request? Are you sure the DNS server has got the correct route to reply ?

Can you sniff on the DNS server and use the packet capture feature on the router to capture on both interfaces and post us all these pcap files.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
209
Views
0
Helpful
6
Replies
CreatePlease to create content