Why does Cisco Router need "ip name-server"?

Hello Experts,

This may be a dumb question but why does my Cisco router need a "ip name-server" entry when I have static routes configured and my W2K3 as my DNS server? Is it because of Dynamic NAT or something? Essentially I am wondering what this command does and how is it used?

LVL 1
katredrumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GJHopkinsCommented:
It allows the router to do DNS lookups. its normally only used for traffic from the router.

Try the following on the router

ping www.cisco.com

conf t
no ip name-server xxxxx
end

ping www.cisco.com

that should show the difference


0
JeffSchaperCommented:
Also it allows you to type the dns name as opposed to the IP address. It is not a routing thing.
0
MistralolCommented:

It doesnt need it as such but all commands that expect a host / ip will only work with an ip address as it wont be able to translate any hostnames into ip addresses.

Though the addiational thing that map also happen is the ip name-server can be configured automaticcally by the router if you are using ppp or a dhcp client on any interfaces. It really depends on how it is configured.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

katredrumAuthor Commented:
GJHopkins, when I do a ping www.cisco.com the router gives me an error:

Translating "www.cisco.com"
% Unrecognized host or address, or protocol not running.

What does this mean?
0
GJHopkinsCommented:
check the config you probably have the line

no ip domain-lookup

which stops the domain name being resolved using the defined name server.

if the name isn't translated to an IP address you will get this message.

So would appear you have name servers defined but are also telling the router not to use then. This could explain why the setup seems a bit confusing,
0
katredrumAuthor Commented:
I did have that line in the config. I did the command:

ip domain-lookup

and now it at least tries to translate www.cisco.com with the configured dns servers (both external and internal) without any luck.

Translating "www.cisco.com"...domain server (4.2.2.2) (64.65.64.1)(internal dns server)
% Unrecognized host or address, or protocol not running.
0
GJHopkinsCommented:
looks like dns isn't getting a correct response I did a quick test

router(config)#ip name-server 4.2.2.2
routerr(config)#end
routerr#ping www.cisco.com
Translating "www.cisco.com"...domain server (212.159.13.49) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 88.221.176.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/50/64 ms          

looks OK so ther must be something else in you config. Can you post the parts that relate to name servers, routing, nat etc

0
katredrumAuthor Commented:
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
endversion 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
GJHopkinsCommented:
did some further tests and 4.2.2.2 and 64.65.64.1 are not resolving names to IP, where did you get these as DNS servers ?

Suggest you try with Opendns

ip name-server 208.67.222.222
ip name-server 208.67.220.220


0
katredrumAuthor Commented:
I changed the dns servers as you suggested but still receiving this error:

Translating "www.cisco.com"...domain server (208.67.222.222) (208.67.220.220)
% Unrecognized host or address, or protocol not running.

I created a test ACL and it seems to be logging it although I did not apply it to an interface. Which interface would I apply this to, to allow dns queries in and out of my router?

access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
0
MistralolCommented:

Looks like Serial0/0 is the public interface so you would need to add it to the top of the access-list 113
Just wondering if you have a local dns server on a windows domain contorller or anything that would also be able to hangle the requests.

0
katredrumAuthor Commented:
Mistralol, yes I do have a local dns server on windows 2003 that handles the request. I actually added it using the ip name-server on the router but that didn't work either.

From your response, what would I have to add to the top of ACL 113?
0
katredrumAuthor Commented:
Would this command block dns from going out to the internet?

ip inspect name sdm_ins_in_100 dns

0
GJHopkinsCommented:
On serial 0/0 you have

ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_out_100 out

the inspect function for the firewall is normally used outbound to establish traffic sessions and to allow return traffic which matches the established session. I'd suggest testing with

no ip inspect sdm_ins_in_100 in

this will at least establish if the return traffic is being blocked by this. If its being blocked by access list 113 you should see that in the logs anyway

you can check the status of the firewall with

show ip inspect <option>


0
katredrumAuthor Commented:
Deleted ip inspect in and still no luck.

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int ser
Router(config)#int serial 0/0
Router(config-if)#no ip ins
Router(config-if)#no ip inspect sdm_ins_in_100 in
Router(config-if)#^Z
Router#ping www.cisco.com

Translating "www.cisco.com"...domain server (208.67.222.222) (208.67.220.220)
% Unrecognized host or address, or protocol not running.




0
katredrumAuthor Commented:
okay i finally was able to "ping cisco.com" but not "ping www.cisco.com".

anyone know why?
0
GJHopkinsCommented:
other way around for me I can ping www.cisco.com but not cisco.com

the thing here is to check that the DNS lookup is working, you may not be able to ping because the target is set to drop icmp traffic. Some of the well know sites do this, after all would you want your bandwidth wasted by thousands of people testing their connections :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katredrumAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.