DNS translation using NAT and cisco 3600

nordenst
nordenst used Ask the Experts™
on
Need a little help trying to get to the bottom of why my 3600 will not translate or resolve DNS queries for the local subnet.  I will post a print of the config file and NAT stat.  I have  a 3600 with a token ring and ethernet interface.  The ethernet has been setup to receive dhcp from the cable modem service and NAT all inside hosts to the dhcp interface overloading the dynamically assigned address.  I can resolve from the token ring interface out but I can not resolve from clients on the local network.  Maybe I am overlooking something....I have attemtped to debug the upd and NAT traffic and it seems the dns is getting the query but it is not making it back to the host.  I have seen reference to a caveat about this problem on cisco web site but I think this release of code should have fixed the problem.

Thanks,

sho run
Building configuration...

Current configuration : 1795 bytes
!
! Last configuration change at 18:13:20 CST Sun Feb 28 1993
!
version 12.2
service config
service timestamps debug datetime msec localtime show-timezone
service timestamps log uptime
!
hostname HomeR1
!
boot system flash c3640-io3-mz.121-2.T.bin
logging buffered 4096 informational
no logging monitor
!
clock timezone CST -6
ip subnet-zero
no ip source-route
!
ip tftp source-interface TokenRing0/0
ip name-server 24.116.0.34
ip name-server 24.116.0.63
ip dhcp excluded-address 10.10.10.1 10.10.10.2
!
ip dhcp pool HOME
   network 10.10.10.0 255.255.255.0
   dns-server 24.116.0.34
   default-router 10.10.10.1
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0/0
 ip address dhcp
 ip nat outside
 no ip mroute-cache
 half-duplex
 no cdp enable

interface TokenRing0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 ring-speed 16
 no cdp enable
!
ip nat inside source list 7 interface Ethernet0/0 overload
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no ip http server
!
!
no logging trap
access-list 7 permit any
!
ntp source Ethernet0/0
ntp master 10
!
end

HomeR1#  sho ip nat stat
Total active translations: 121 (0 static, 121 dynamic; 121 extended)
Outside interfaces:
  Ethernet0/0
Inside interfaces:
  TokenRing0/0
Hits: 305  Misses: 188
Expired translations: 66
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 7 interface Ethernet0/0 refcount 121
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
The problem is not in your config, you have the wrong entries for the nameservers.
Cableone.net has 24.116.0.201 and 24.116.0.202 listed as name servers. Unless you have your own DNS, use these two ip's as your nameserver in your DHCP pool. If that won't work, try using 198.6.1.2 or 198.6.1.3 as name servers.
You can easily try it on a workstation by manally inserting a nameserver address to override the dhcp provided entry. If it works, you know 100% that is the problem.


I hope you have a firewall or something else behind this router, or you should "harden" it and use the Firewall feature set...

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Here's another reference guide I was looking for.
http://www.nsa.gov/snac/index.html
Check out the Cisco guide. It's pretty good.

Author

Commented:
Thanks for the links, and the suggestion to harden the router.  I had plans to do so after I figured out what was going on with the DNS resolution.  Did not want to complicate the process any more.  Actually, after reviewing the post I did notice I missed an important piece of information.  I can actually resolve out names from the router either interface.  But, when I try from a client system it gives me an unknow host error.  After checking the NAT translations I notice the client address being translated correctly but the DNS server is replying back on port 53 and not the port that the router set up during the NAT process.  I can ping the outside if I use the IP address but not the DNS name.  When I ping the icmp entries in the NAT translation table used the same ports all the way accross the board.  Something is happening with udp 53 queries and it appears the server is replying back on a port that the client is not listening on.  At least that is how I am reading the information.  I tried some static nat entries but that did not seem to work.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
>>After checking the NAT translations I notice the client address being translated correctly but the DNS server is replying back on port 53 and not the port that the router set up during the NAT process.  


How are you seeing this?  Typically you would have to perform a packet debug on the router or a capture to see what the return packet looks like.  Do the clients have the same name servers configured as the router or are they different?
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:

How are things going? Did you get the help you need? Can you provide some feedback?
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
G'day, nordenst
It has been 107 days since you first posed this question, and there has been no activity on the question for 60 days. It appears to have been abandonded, so it's time to clean up this TA. Please take a moment to revisit this question & reward your points or post additional commentary as appropriate.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Moderator decision

If you would like to keep this question open for more expert input, this cleanup effort will get it closer to the top of the list where it will get more visibility for the experts.

if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
PAQ'd and points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial