• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1400
  • Last Modified:

Dns configuration on Cisco 2600 router

We have 1 remote office tied to the HQ with a T1, we recently installed Comcast cable to provide independent internet connection to the remote site, all internet traffic is going to a proxy server and out to the internet through Comcast, both locations has a 2600 Cisco router,  Please see the configuration below and let me know how I can configure the router at the remote site for dns to get in and out through the Comcast link, right now it works through the T1, if the T1 goes down, users at the remote site will not have access to the internet.
ip subnet-zero 
no ip source-route 
ip cef 
! 
! 
no ip domain-lookup 
no ip dhcp conflict logging 
 
! 
interface FastEthernet0/0 (local remote Lan)
 ip address 192.168.20.1 255.255.255.0 
 ip nat inside 
 no ip mroute-cache 
 ip policy route-map RM-RemoteExchange 
 no keepalive 
 speed 100 
 full-duplex 
! 
interface Serial0/0 
 description Point-to-Point  
 bandwidth 1544 
 ip address 192.168.x.y 255.255.255.252 
! 
interface FastEthernet0/1 (To Comcast)
 description internet connection 
 ip address 173.161.x1.y1 255.255.255.252 
 ip nat outside 
 no ip mroute-cache 
 no keepalive 
 speed 100 
 full-duplex 
! 
interface Serial0/1 
 no ip address 
 shutdown 
! 
router eigrp 10 
 network 192.168.20.0 
 network 192.168.30.0 
 network 192.168.x.0 
 auto-summary 
 no eigrp log-neighbor-changes 
! 
ip nat inside source list ToNAT interface FastEthernet0/1 overload 
ip nat inside source static tcp 192.168.2.40 444 interface FastEthernet0/1 444 
ip nat inside source static tcp 192.168.2.40 3101 interface FastEthernet0/1 3101 
ip classless 
ip route 0.0.0.0 0.0.0.0 173.161.x2.y2 
ip route 192.168.0.0 255.255.0.0 Serial0/0 
no ip http server 
ip pim bidir-enable 
! 
! 
ip access-list extended ToNAT 
 permit ip host 192.168.20.18 any 
 permit ip host 192.168.2.40 any 
access-list 111 permit ip host 192.168.2.40 any 
access-list 199 permit icmp any any echo 
access-list 199 permit icmp any any echo-reply 
priority-list 1 protocol ip normal tcp 1494 
priority-list 1 default high 
dialer-list 1 protocol ip permit 
route-map RM-RemoteExchange permit 10 
 match ip address 111 
 set interface Serial0/0 
! 
route-map naci-worm permit 10 
 match ip address 199 
 match length 92 92 
 set interface Null0 
! 
snmp-server community public RO 
! 
 
no scheduler allocate 
end

Open in new window

0
Shando1971
Asked:
Shando1971
  • 5
  • 5
  • 2
1 Solution
 
HodepineCommented:
I'd configure your clients with a secondary DNS server located on the internet, that way your primary DNS server can provide name resolution for internal hosts, while a server on the internet will still be reachable if the T1 link goes down. If your service provider can't provide you with a DNS server to use, you can use the servers provided by OpenDNS.org.

No router configuration should be neccessary, you do have your default gateway to the internet (where you'd want to find your "outside/internet" dns server) via the Comcast link, and specific routes to your main office where the internal DNS-server is located (most likely).
0
 
602650528Commented:
This router config has no DNS configuration on it. It is most likely that the DNS configuration on your computers are configured with an IP address located on the HQ. It is either you change the the DNS entry (secondary as Hodepine suggested) on each computer manualy if the DNS entrues are statically configured or change it on the DHCP server if it dynamically allocated.
You can se  the following DNS servers  4.2.2.2  or 198.6.1.1 or 198.6.1.2.
0
 
Shando1971Author Commented:
Thank you for the response, I'm aware that changing the dns manually or via dhcp will make it work, but I would like to do it on the router, it is going to be very hard to do it statically as we don't have a dhcp server.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
HodepineCommented:
So what you're saying is you want to reach the DNS-server on the main office when the T1 link is down, since it's the server configured on the clients, and you don't want to change the clients?

Then your only option is having a tunnel through the internet as a backup connection to your main office. A GRE-tunnel should be doable regardless of your IOS image, while an IPSec-tunnel would give you better security, but requires a more advanced IOS image.

And you DO have a DHCP-server, you have the router. You could just set it up as a DHCP server, and have the clients changed to DHCP clients one by one, whenever there's an opportunity to do so.
0
 
602650528Commented:
So you need to set up your router as a DHCP server; see below for config

service dhcp
!specify addresses not to assign to DHCP clients
 ip dhcp-excluded address 192.168.20.1 192.168.20.10
!
ip dhcp pool remote
! Specify network number and mask for DHCP clients
 network 192.168.20.0 255.255.255.0
! Specifes the domain name for the client
 domain-name shando.com
! Specifies DNS server to be used by DHCP clients for domain name resolution
! You can specify the DNS server at HQ here first
 dns-server 10.0.0.2 4.2.2.2 198.6.1.1
!Specifies the default gateway
 default-gateway 192.168.20.1


0
 
Shando1971Author Commented:
No, I have a local domain controller on the remote site, and it is the dns server at the same time, I just want to enable this domain controller to get out to the internet through the comcast connection.
0
 
HodepineCommented:
It will, if it has a default gateway to the router you've shown the config for. That router has a default gateway through the Comcast connection. If it still won't work, I suggest you look at the forward lookup zones configured on the remote DNS. If it's set to use your local dns it won't do you any good when the T1 is down.
0
 
Shando1971Author Commented:
If you inspect the router config, you will see that there is only certain traffic allowed out through the Comcast connection (DNS traffic is not one of them), and the rest is to go through the serial interface, can you provide me with the configuration to open the dns ports on the router to allow the dns server at the remote site to go through the comcast interface?

The forward look-up zone is setup correctly, and has the dns servers as the named servers, while the forwarders pointing to the public DNS, as far as I know I don't need to put public dns on the clients through dhcp, or manually if these dns servers has inbound/outbound access permissions for dns traffic through the firewall, and the router. In our environment we control the outbound as well as the inbound traffic...thank you for your help...
0
 
HodepineCommented:
Oh, right, would you look at that. Your outbound NAT is limited to just two hosts. So, the traffic is actually allowed through, but it will be dropped by Comcast as the source IP will be a private address.

To add another host to your permitted list do this:

Enable
Conf t
(config)# ip access-list extended ToNAT  
(config-acl)# permit ip host 192.168.20.x any
0
 
Shando1971Author Commented:
It is not working, do I need to add to the command you gave me along with the
"ip nat inside source static tcp 192.168.20.x 57 interface FastEthernet0/1 57
"ip nat inside source static udp 192.168.20.x 57 interface FastEthernet0/1 57"?
0
 
HodepineCommented:
No, it should work as described. No static configuration should be needed, outbound NAT is covered by the "ip nat inside source list ToNAT interface FastEthernet0/1 overload"

Can you do a show access-list?

And a debug ip nat (remember to use term mon if you're using telnet/ssh), and show ip nat translation will show what's going on with the NAT.
0
 
Shando1971Author Commented:
Actually, it worked fine with the command you gave me, I was typing ToNat as TONAT.
Thank you very much for your help...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now