gwlnimda
asked on
Cisco IOS DNS Configuration
Hi Experts,
I recently switched to a CISCO 1941 Router and a new Ethernet Internet Connection which I have configured. Most of the configurations were done via the CP Express setup wizard.
The router has two Ethernet Interfaces, one for the WAN and one for the LAN.
We are using SBS 2008 as our DHCP, which is also being used as a DNS server.
With the current configuration, the LAN clients are not able to resolve any external addresses. So what I have done is added the 2 Name Servers provided by my ISP as DNS forwarders on the SBS server. I can resolve addresses when I ping on the router itself e.g. www.google.com.
With the old ADSL connection and router, I never had to add the name servers as a DNS Forwarder.
Is there something in my cisco configuration that is wrong?
Please see the running-config below:
--------------------------
domain#show running-config
Building configuration...
Current configuration : 5880 bytes
!
! Last configuration change at 11:51:53 PCTime Fri Nov 12 2010 by cisco
! NVRAM config last updated at 17:31:39 PCTime Thu Nov 11 2010 by cisco
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname domain
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $@##@^$@#$@#42142352342343
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name domain.com.au
ip name-server 23.24.25.26
ip name-server 31.32.33.34
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2370012323
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2370012323
!
!
crypto pki certificate chain TP-self-signed-2370012323
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333730 30363139 3333301E 170D3130 31313038 30323439
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
5EE9D066 06854464 2CCECBE6 36E31785 8F28E42E 7CF7E2AA D7C1B759 D48FB6DA
C4D6BD21 FBC27DDF AA5CFDB8 7D4228A9 DE04D9CE 6858876E B7A78ECA 8F22CE80
BE4AA8EC D4E0CD93 D34BF049 FB365DA4 F2A811AE 071B5285 1CDEC95D EAB72311
54050203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
300D0609 2A864886 F70D0101 04050003 81810020 7D546AE8 4CE70C1C A2DF6B77
E174EF47 77953795 9D65FD6E E6F377B7 408CAFCE FBB14FE1 77BA436D A10F33B2
A4ADAD5F 8E57F696 743B9889 024AD08D 0A3691D7 D8CEE9AA 3EC0F437 6AD559EF
0BC46CEE C843DFD2 EB040D8B D38C8C85 053B2F08 9E76E5E9 8A7ECC8A F42D555F
98738FF5 806EC31C D367B534 E97F4A70 439875
quit
license udi pid CISCO1941/K9 sn FKDFLSKJ12323KDFD
!
!
username cisco privilege 15 secret 5 $2342#$Sdflsdkjfskdfd.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 3333 rotary 1
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 150.151.152.250 255.255.255.250
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http port 9999
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/1 987
ip nat inside source static tcp 192.168.1.2 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 3387 interface GigabitEthernet0/1 3387
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.1.226 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.1.11 8080 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 192.168.1.3 80 interface GigabitEthernet0/1 80
ip route 0.0.0.0 0.0.0.0 150.151.152.250
!
ip access-list extended TelSSH
permit tcp 192.168.1.0 0.0.0.255 any eq 3333 log
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
no cdp run
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class TelSSH in
privilege level 15
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
end
domain#
--------------------------
Thank you in advance.
I recently switched to a CISCO 1941 Router and a new Ethernet Internet Connection which I have configured. Most of the configurations were done via the CP Express setup wizard.
The router has two Ethernet Interfaces, one for the WAN and one for the LAN.
We are using SBS 2008 as our DHCP, which is also being used as a DNS server.
With the current configuration, the LAN clients are not able to resolve any external addresses. So what I have done is added the 2 Name Servers provided by my ISP as DNS forwarders on the SBS server. I can resolve addresses when I ping on the router itself e.g. www.google.com.
With the old ADSL connection and router, I never had to add the name servers as a DNS Forwarder.
Is there something in my cisco configuration that is wrong?
Please see the running-config below:
--------------------------
domain#show running-config
Building configuration...
Current configuration : 5880 bytes
!
! Last configuration change at 11:51:53 PCTime Fri Nov 12 2010 by cisco
! NVRAM config last updated at 17:31:39 PCTime Thu Nov 11 2010 by cisco
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname domain
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $@##@^$@#$@#42142352342343
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name domain.com.au
ip name-server 23.24.25.26
ip name-server 31.32.33.34
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2370012323
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2370012323
!
!
crypto pki certificate chain TP-self-signed-2370012323
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333730 30363139 3333301E 170D3130 31313038 30323439
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
5EE9D066 06854464 2CCECBE6 36E31785 8F28E42E 7CF7E2AA D7C1B759 D48FB6DA
C4D6BD21 FBC27DDF AA5CFDB8 7D4228A9 DE04D9CE 6858876E B7A78ECA 8F22CE80
BE4AA8EC D4E0CD93 D34BF049 FB365DA4 F2A811AE 071B5285 1CDEC95D EAB72311
54050203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
300D0609 2A864886 F70D0101 04050003 81810020 7D546AE8 4CE70C1C A2DF6B77
E174EF47 77953795 9D65FD6E E6F377B7 408CAFCE FBB14FE1 77BA436D A10F33B2
A4ADAD5F 8E57F696 743B9889 024AD08D 0A3691D7 D8CEE9AA 3EC0F437 6AD559EF
0BC46CEE C843DFD2 EB040D8B D38C8C85 053B2F08 9E76E5E9 8A7ECC8A F42D555F
98738FF5 806EC31C D367B534 E97F4A70 439875
quit
license udi pid CISCO1941/K9 sn FKDFLSKJ12323KDFD
!
!
username cisco privilege 15 secret 5 $2342#$Sdflsdkjfskdfd.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 3333 rotary 1
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 150.151.152.250 255.255.255.250
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http port 9999
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/1 987
ip nat inside source static tcp 192.168.1.2 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 3387 interface GigabitEthernet0/1 3387
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.1.226 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.1.11 8080 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 192.168.1.3 80 interface GigabitEthernet0/1 80
ip route 0.0.0.0 0.0.0.0 150.151.152.250
!
ip access-list extended TelSSH
permit tcp 192.168.1.0 0.0.0.255 any eq 3333 log
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
no cdp run
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class TelSSH in
privilege level 15
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
end
domain#
--------------------------
Thank you in advance.
Sounds like an issuecwith your DBS server, did you enable dns recursion so it will use the default forwarders...if the routers are passing ip traffic then they are not the problem with dns
ASKER
Hi,
Thanks for the quick response.
DNS Recursion is enabled and is by default. I have not changed anything in our DNS server, the only difference in this pictures is the new Ethernet Internet connection and the Cisco 1941 Router.
Thanks for the quick response.
DNS Recursion is enabled and is by default. I have not changed anything in our DNS server, the only difference in this pictures is the new Ethernet Internet connection and the Cisco 1941 Router.
If you use forwarders and it is working, then DNS is not being filtered or problemmatic at the router level. 2008 Servers can function in 2 ways... forward the DNS request to other servers or resolve on its own. If you want to have it resolve on its own, make sure that the root hint servers are all available. You may need to re-install DNS on your server.
test your SBS server at the command prompt type: nslookup and test the answers you get from the dns server, post some results.
What har5dware did the Cisco replace? Most consumer grade home routers provide act as a DHCP server and a DNS proxy. They provide their own address as a DNS server in the DHCP data, and they forward all DNS requests.
Make sure the DHCP information provided by the DHCP server includes the correct information for the name server.
http://technet.microsoft.com/en-us/library/cc756865%28WS.10%29.aspx#scopedns
Make sure the DHCP information provided by the DHCP server includes the correct information for the name server.
http://technet.microsoft.com/en-us/library/cc756865%28WS.10%29.aspx#scopedns
Testing/checking procedure:
1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
2. Did you change the DHCP scope to reflect the new router as their gateway?
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
4. Does name resolution work internally when pinging other clients by DNS name?
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
2. Did you change the DHCP scope to reflect the new router as their gateway?
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
4. Does name resolution work internally when pinging other clients by DNS name?
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
ASKER
The device replaced was a Netcoom 3G10WVT Gateway that was used while waiting for our Ethernet Connection to be installed. My SBS Server worked fine with this. It was only when we switched over to the Cisco Router that this started happening.
Testing/checking procedure:
1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
Yes
2. Did you change the DHCP scope to reflect the new router as their gateway?
No, same scope.
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
No, Yes.
4. Does name resolution work internally when pinging other clients by DNS name?
Yes.
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
Yes.
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
Yes.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
Was like this from the first time the router was setup.
Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?
Is there a setting missing on the router to forward any dns requests to the external name servers?
Testing/checking procedure:
1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
Yes
2. Did you change the DHCP scope to reflect the new router as their gateway?
No, same scope.
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
No, Yes.
4. Does name resolution work internally when pinging other clients by DNS name?
Yes.
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
Yes.
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
Yes.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
Was like this from the first time the router was setup.
Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?
Is there a setting missing on the router to forward any dns requests to the external name servers?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I restarted the SBS server and everything still seems fine.
I conclude that it must have been an issue with my DNS server.
Thank you all.
I conclude that it must have been an issue with my DNS server.
Thank you all.
ASKER
Solved by using Configure a DNS Server Wizard to rebuild root hints.