Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Local DNS with NAT NVI Failing

I'm having an issue with my cisco 1921 router not forwarding DNS requests to our local DNS server. I recently set up NAT NVI and after doing so DNS is no longer being passed between the few VLANS that are in place.

The DNS server for this domain is located at 192.168.1.20 (VLAN1). Client machines are configured to talk to this local DNS via DHCP that are on the 192.168.2.X (VLAN2) subnet. 

Currently all DNS requests are only working for machines that are within the VLAN 1 (192.168.1.X). For a machine that is on a different VLAN all DNS queries are failing.

I believe this is an issue with the current routing table but am not sure. My client machine on VLAN2 (ip 192.168.2.100) can successfully communicate (ping, SSH) with the DNS server, but local DNS queries are not making it across the router. I can configure a machine to use my ISPs DNS (68.105.28.11) and it can access the internet successfully, but any local hostname lookups fail.

I tried running some debug on the router to track down the issue but was getting flooded with NAT NVI translations making it fairly difficult to troubleshoot this. I still trying to get smart on the debug features.

 

My current configuration is as follows:

Current configuration : 2044 bytes
!
! Last configuration change at 03:05:26 UTC Mon Apr 7 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN2
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 dns-server 192.168.1.20 68.105.28.11 68.105.29.12 
 domain-name mydomain.com
!
!
!
ip name-server 192.168.1.20
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 11.22.33.215 255.255.255.240
 ip nat enable
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 ip nat enable
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1
 ip address 192.168.1.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3 native
 ip address 192.168.3.1 255.255.255.0
 ip nat enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload

ip nat source static tcp 192.168.1.20 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.1.4 443 interface GigabitEthernet0/0 443 
ip nat source static tcp 192.168.1.25 80 interface GigabitEthernet0/0 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 11.22.33.209
!
access-list 1 permit 192.168.0.0 0.0.3.255
dialer-list 1 protocol ip permit

 

Any comments or tips in this matter would be greatly appreciated!

2 REPLIES

HellloapplyIp domain -lookup

Helllo

apply

Ip domain -lookup

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

I enabled ip domain-lookup

I enabled ip domain-lookup and that did not seem to make any difference. I did some further investigation and VLAN1 is acting as a DMZ with the servers residing there. For all other VLANS when you try to hit VLAN 1 it goes through Outside -> Inside port translation. I would like to have inter VLAN communication maintain their private IPs if at all possible.

Using tcpdump on the DNS server (192.168.1.20) I am am seeing ping requests from VLAN 2 be translated to global IP address instead of the private 192.168.2.X. Sample tcpdump output:

ethertype IPv4 (0x0800), length 74: 11.22.33.215 > 192.168.1.20: ICMP echo request, id 1, seq 64, length 40
ethertype IPv4 (0x0800), length 74: 192.168.1.20 > 11.22.33.215: ICMP echo reply, id 1, seq 64, length 40

 

Here is the output from show ip route if this helps with tracking this issue down:

Gateway of last resort is 11.22.33.209 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 11.22.33.209, GigabitEthernet0/0
      11.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        11.22.33.208/28 is directly connected, GigabitEthernet0/0
L        11.22.33.215/32 is directly connected, GigabitEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/1.1
L        192.168.1.1/32 is directly connected, GigabitEthernet0/1.1
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet0/1.2
L        192.168.2.1/32 is directly connected, GigabitEthernet0/1.2
      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.3.0/24 is directly connected, GigabitEthernet0/1.3
L        192.168.3.1/32 is directly connected, GigabitEthernet0/1.3

238
Views
0
Helpful
2
Replies
CreatePlease login to create content