Cisco 8xx VPN + Firewall

The internatl network (192.168.254.x) gets outside via NAT
I need port forwarding to the internal server (192.168.254.11) for email, etc.
VPN clients come in on IP range 192.168.253.11 to 15

Everything basically works, but the server (192.168.254.11) can not perform DNS lookups. I don't understand why. I can access port 80, 25 etc on outside systems, but using nslookup to outside servers yields nothing.

The configuration looks like this.



working8

gateway#  sh run
Building configuration...

Current configuration : 9722 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$e9g.$lRTPAodO4zz2PFK4/NxKl0
!
username admin privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxx
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef    
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name integrated-lam.com
ip name-server 192.168.254.11
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 fragment maximum 256 timeout 1
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group ciscovpn
 key my$ecret$
 dns 192.168.254.11
 wins 192.168.254.11
 domain iss.l
 pool SDM_POOL_1
 acl 103
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!        
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 70.1.238.98 255.255.255.224
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.254.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.253.11 192.168.253.15
ip classless
ip route 0.0.0.0 0.0.0.0 70.1.238.97
!        
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.254.11 70.1.238.125 route-map SDM_RMAP_2
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 permit 208.0.0.0 0.255.255.255
access-list 2 permit 69.0.0.0 0.255.255.255
access-list 2 permit 68.0.0.0 0.255.255.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 70.1.238.96 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.253.11 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.12 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.13 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.14 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.15 192.168.254.0 0.0.0.255
access-list 101 permit udp any host 70.1.238.98 eq non500-isakmp
access-list 101 permit udp any host 70.1.238.98 eq isakmp
access-list 101 permit esp any host 70.1.238.98
access-list 101 permit ahp any host 70.1.238.98
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit udp any host 70.1.238.98 eq snmp
access-list 101 deny   tcp any host 70.1.238.98 eq telnet
access-list 101 deny   tcp any host 70.1.238.98 eq cmd
access-list 101 permit tcp any host 70.1.238.125 eq 443
access-list 101 permit tcp any host 70.1.238.125 eq www
access-list 101 permit tcp any host 70.1.238.125 eq smtp
access-list 101 permit tcp any host 70.1.238.125 eq 3389
access-list 101 permit udp host 192.168.254.11 eq domain host 70.1.238.98
access-list 101 deny   ip 192.168.254.0 0.0.0.255 any
access-list 101 permit icmp any host 70.1.238.98 traceroute
access-list 101 permit icmp any host 70.1.238.98 echo
access-list 101 permit icmp any host 70.1.238.98 echo-reply
access-list 101 permit icmp any host 70.1.238.98 time-exceeded
access-list 101 permit icmp any host 70.1.238.98 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 208.0.0.0 0.255.255.255 any
access-list 102 permit ip 68.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.254.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.11
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.12
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.13
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.14
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.15
access-list 104 deny   ip host 192.168.254.11 any
access-list 104 permit ip 192.168.254.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.15
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.14
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.13
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.12
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.11
access-list 105 permit ip host 192.168.254.11 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
route-map SDM_RMAP_2 permit 1
 match ip address 105
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 access-class 102 in
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

gateway#
bbrendonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
By default, nslookup uses UDP instead of TCP. Looking at your configuration, you are using IP inspect and you have an inbound access-list to int fe0/4. Add the following IP inspect rule;

ip inspect name DEFAULT100 udp


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.