Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT and DNS Problem

Hi,

I am using a 2811 router with an internal "inside" interface (172.17.254.5) and external "Outside" interface (172.24.170.39).  NAT is working fine for all packets except DNS querys that are made from clients on the inside interface to a DNS server on the outside interface.  (DNS server 172.16.10.14)

I have ran a debug ip nat detailed and can see the packets are dropped but I don't know why.  Have I missed something obivouse?

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 1 permit 172.16.4.0 0.0.3.255

ip nat inside source list 1 interface fastethernet0/1 overload

There are no access-lists applied to either interface, and I can ping successfully to the DNS server.  I run

sh ip nat trans shows me it is translating.

Output form debug ip nat detailed - so far so good for pings.

*Jul  2 09:08:59.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1208]
*Jul  2 09:08:59.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10491]
*Jul  2 09:08:59.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10491]
*Jul  2 09:09:00.921: NAT*: i: icmp (192.168.100.1, 512) -> (10.8.27.71, 512) [1211]
*Jul  2 09:09:00.921: NAT*: s=192.168.100.1->172.24.170.39, d=10.8.27.71 [1211]
*Jul  2 09:09:00.921: NAT*: o: icmp (10.8.27.71, 512) -> (172.24.170.39, 512) [10537]
*Jul  2 09:09:00.921: NAT*: s=10.8.27.71, d=172.24.170.39->192.168.100.1 [10537]

Next part is an internal client ip 192.168.100.1 sending a DNS packet.


Jul  2 10:16:17.427: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 51919 got 51919
Jul  2 10:16:17.431: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul  2 10:16:23.103:  mapping pointer available mapping:0
Jul  2 10:16:23.103: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 54879 got 54879
Jul  2 10:16:23.103: NAT: translation failed (B), dropping packet s=192.168.100.1 d=172.16.10.14
Jul  2 10:16:25.395:  mapping pointer available mapping:0
Jul  2 10:16:25.395: NAT: [0] Allocated Port for 192.168.100.1 -> 172.24.170.39: wanted 60291 got 60291

Is it some sort of bug in the IOS or am I missing something out?

2 REPLIES
New Member

Re: NAT and DNS Problem

I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.

Alex

New Member

Re: NAT and DNS Problem

I believe the issue is with your access list. If you have access-list 1 permit 172.16.4.0 0.0.3.255 you are only allowing 172.16.4.0 to 172.16.7.255. I am not sure how your orginial ping is working. You would need a wildcard mask of 0.15.255.255 for this to work.

Alex

Alex,

Yes you are right with access list 1 allowing that subnet, but access list 1 also contains my other subnet 192.168.100.0 - 192.168.100.255.  Clients from both subnets can ping and the icmp's are "natted",  it just seems to be dns requests from either subnet

172.16.4.0/22 (0.0.3.255)

192.168.100.0/24.(0.0.0.255)


Output from sh ip access list 1

Standard IP access list 1
    10 permit 192.168.100.0, wildcard bits 0.0.0.255 (2 matches)
    20 permit 172.16.4.0, wildcard bits 0.0.3.255 (276 matches)

Thanks,

632
Views
0
Helpful
2
Replies
CreatePlease to create content