Dns configuration on Cisco 2600 router

We have 1 remote office tied to the HQ with a T1, we recently installed Comcast cable to provide independent internet connection to the remote site, all internet traffic is going to a proxy server and out to the internet through Comcast, both locations has a 2600 Cisco router,  Please see the configuration below and let me know how I can configure the router at the remote site for dns to get in and out through the Comcast link, right now it works through the T1, if the T1 goes down, users at the remote site will not have access to the internet.
ip subnet-zero 
no ip source-route 
ip cef 
! 
! 
no ip domain-lookup 
no ip dhcp conflict logging 
 
! 
interface FastEthernet0/0 (local remote Lan)
 ip address 192.168.20.1 255.255.255.0 
 ip nat inside 
 no ip mroute-cache 
 ip policy route-map RM-RemoteExchange 
 no keepalive 
 speed 100 
 full-duplex 
! 
interface Serial0/0 
 description Point-to-Point  
 bandwidth 1544 
 ip address 192.168.x.y 255.255.255.252 
! 
interface FastEthernet0/1 (To Comcast)
 description internet connection 
 ip address 173.161.x1.y1 255.255.255.252 
 ip nat outside 
 no ip mroute-cache 
 no keepalive 
 speed 100 
 full-duplex 
! 
interface Serial0/1 
 no ip address 
 shutdown 
! 
router eigrp 10 
 network 192.168.20.0 
 network 192.168.30.0 
 network 192.168.x.0 
 auto-summary 
 no eigrp log-neighbor-changes 
! 
ip nat inside source list ToNAT interface FastEthernet0/1 overload 
ip nat inside source static tcp 192.168.2.40 444 interface FastEthernet0/1 444 
ip nat inside source static tcp 192.168.2.40 3101 interface FastEthernet0/1 3101 
ip classless 
ip route 0.0.0.0 0.0.0.0 173.161.x2.y2 
ip route 192.168.0.0 255.255.0.0 Serial0/0 
no ip http server 
ip pim bidir-enable 
! 
! 
ip access-list extended ToNAT 
 permit ip host 192.168.20.18 any 
 permit ip host 192.168.2.40 any 
access-list 111 permit ip host 192.168.2.40 any 
access-list 199 permit icmp any any echo 
access-list 199 permit icmp any any echo-reply 
priority-list 1 protocol ip normal tcp 1494 
priority-list 1 default high 
dialer-list 1 protocol ip permit 
route-map RM-RemoteExchange permit 10 
 match ip address 111 
 set interface Serial0/0 
! 
route-map naci-worm permit 10 
 match ip address 199 
 match length 92 92 
 set interface Null0 
! 
snmp-server community public RO 
! 
 
no scheduler allocate 
end

Open in new window

Shando1971Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HodepineCommented:
I'd configure your clients with a secondary DNS server located on the internet, that way your primary DNS server can provide name resolution for internal hosts, while a server on the internet will still be reachable if the T1 link goes down. If your service provider can't provide you with a DNS server to use, you can use the servers provided by OpenDNS.org.

No router configuration should be neccessary, you do have your default gateway to the internet (where you'd want to find your "outside/internet" dns server) via the Comcast link, and specific routes to your main office where the internal DNS-server is located (most likely).
0
602650528Commented:
This router config has no DNS configuration on it. It is most likely that the DNS configuration on your computers are configured with an IP address located on the HQ. It is either you change the the DNS entry (secondary as Hodepine suggested) on each computer manualy if the DNS entrues are statically configured or change it on the DHCP server if it dynamically allocated.
You can se  the following DNS servers  4.2.2.2  or 198.6.1.1 or 198.6.1.2.
0
Shando1971Author Commented:
Thank you for the response, I'm aware that changing the dns manually or via dhcp will make it work, but I would like to do it on the router, it is going to be very hard to do it statically as we don't have a dhcp server.
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

HodepineCommented:
So what you're saying is you want to reach the DNS-server on the main office when the T1 link is down, since it's the server configured on the clients, and you don't want to change the clients?

Then your only option is having a tunnel through the internet as a backup connection to your main office. A GRE-tunnel should be doable regardless of your IOS image, while an IPSec-tunnel would give you better security, but requires a more advanced IOS image.

And you DO have a DHCP-server, you have the router. You could just set it up as a DHCP server, and have the clients changed to DHCP clients one by one, whenever there's an opportunity to do so.
0
602650528Commented:
So you need to set up your router as a DHCP server; see below for config

service dhcp
!specify addresses not to assign to DHCP clients
 ip dhcp-excluded address 192.168.20.1 192.168.20.10
!
ip dhcp pool remote
! Specify network number and mask for DHCP clients
 network 192.168.20.0 255.255.255.0
! Specifes the domain name for the client
 domain-name shando.com
! Specifies DNS server to be used by DHCP clients for domain name resolution
! You can specify the DNS server at HQ here first
 dns-server 10.0.0.2 4.2.2.2 198.6.1.1
!Specifies the default gateway
 default-gateway 192.168.20.1


0
Shando1971Author Commented:
No, I have a local domain controller on the remote site, and it is the dns server at the same time, I just want to enable this domain controller to get out to the internet through the comcast connection.
0
HodepineCommented:
It will, if it has a default gateway to the router you've shown the config for. That router has a default gateway through the Comcast connection. If it still won't work, I suggest you look at the forward lookup zones configured on the remote DNS. If it's set to use your local dns it won't do you any good when the T1 is down.
0
Shando1971Author Commented:
If you inspect the router config, you will see that there is only certain traffic allowed out through the Comcast connection (DNS traffic is not one of them), and the rest is to go through the serial interface, can you provide me with the configuration to open the dns ports on the router to allow the dns server at the remote site to go through the comcast interface?

The forward look-up zone is setup correctly, and has the dns servers as the named servers, while the forwarders pointing to the public DNS, as far as I know I don't need to put public dns on the clients through dhcp, or manually if these dns servers has inbound/outbound access permissions for dns traffic through the firewall, and the router. In our environment we control the outbound as well as the inbound traffic...thank you for your help...
0
HodepineCommented:
Oh, right, would you look at that. Your outbound NAT is limited to just two hosts. So, the traffic is actually allowed through, but it will be dropped by Comcast as the source IP will be a private address.

To add another host to your permitted list do this:

Enable
Conf t
(config)# ip access-list extended ToNAT  
(config-acl)# permit ip host 192.168.20.x any
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shando1971Author Commented:
It is not working, do I need to add to the command you gave me along with the
"ip nat inside source static tcp 192.168.20.x 57 interface FastEthernet0/1 57
"ip nat inside source static udp 192.168.20.x 57 interface FastEthernet0/1 57"?
0
HodepineCommented:
No, it should work as described. No static configuration should be needed, outbound NAT is covered by the "ip nat inside source list ToNAT interface FastEthernet0/1 overload"

Can you do a show access-list?

And a debug ip nat (remember to use term mon if you're using telnet/ssh), and show ip nat translation will show what's going on with the NAT.
0
Shando1971Author Commented:
Actually, it worked fine with the command you gave me, I was typing ToNat as TONAT.
Thank you very much for your help...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.