• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 937
  • Last Modified:

Cisco IOS: ip domain lookup not working, possible NAT issue?

I have a working static NAT config but I've never been able to get ip domain lookup to work completely.  It works if I set it to use the LAN interface DNS server, but just times out if I use the ISP DNS server.  I've removed the ACLs to see if it was blocked somewhere and that didn't help.  Below is the portion of the config that I think could be relevant.

x.x.x is the LAN
y.y.y is the ISP

no ip source-route
ip domain retry 0
ip domain lookup source-interface FastEthernet0/0 <-- tried both 0/0 and 0/1
ip domain name nnn.mmm
ip name-server 8.8.8.8 <--- x.x.x.1 works for LAN DNS server
interface FastEthernet0/0
 description ISP
 ip address y.y.y.72 255.255.255.0 secondary
 ip address y.y.y.71 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address x.x.x.254 255.255.255.0
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip default-gateway y.y.y.1
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.y.1 permanent
ip nat inside source static x.x.x.1 y.y.y.71 extendable no-alias
ip nat inside source static x.x.x.2 y.y.y.72 extendable no-alias

Open in new window

0
s-w
Asked:
s-w
  • 4
  • 4
2 Solutions
 
Henk van AchterbergSr. Technical ConsultantCommented:
please try adding this (have not tested this myself):

ip nat inside source static udp x.x.x.254 53 y.y.y.71 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.72 53

The logic is that the DNS reply is NAT-ed to the x.x.x.1 ip address.

Please note that if this works the x.x.x.1 host cannot use an external DNS server anymore as the replies are processed by the Cisco.
0
 
s-wAuthor Commented:
Your logic makes sense but DNS traffic needs to go through the NAT for .71 and .72 so I can't test that without breaking it.

I tried adding this to the top of the ISP out ACL
 permit udp any host 8.8.8.8 log

and this to the ISP in ACL
 permit udp host 8.8.8.8 any log

I don't get any log entries when pinging using (8.8.8.8).  Is the NAT preventing the traffic from even going out to the ISP because it's not from x.x.x.1 or x.x.x.2 (the nat entries)?

I have other y.y.y addresses that don't need DNS traffic.  Is there a way to tell the domain lookup to use one of the secondary ip addresses as the source address (so I can use your config?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
as far as I know you can only specify a source interface and not a source IP.

I also wonder if own traffic originated from the Cisco is being logged by the ACL.

Why don't you change the primary IP of the interface to one which is not being natted?

FYI: You do not need to configure an IP address (as secondary) on an interface to use that IP for NAT.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
s-wAuthor Commented:
I tried adding the port 53 nats on another ip address and set the interface to that ip address also and it worked!  Also, I removed the secondary ip addresses (thanks again).

FYI, the dns traffic now shows up in the log from the earlier ACL.

The problem now is that when I add the "catch-all" nat after the dns entries the dns stops working.  Is there a way to add the 3rd nat entry to pass all other traffic?

ip nat inside source static udp x.x.x.254 53 y.y.y.73 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.73 53
ip nat inside source static x.x.x.3   y.y.y.73 <--- dns stops working when I add this line
0
 
s-wAuthor Commented:
It appears the problem is that the traffic coming back from 8.8.8.8 is going to a random client port that the router chose for the dns request, and that makes it fall into the 3rd entry.

Is there a way to set the dns resolver source port pool?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Maybe we can try another aproach.

Create a loopback interface, issue ip nat inside and give it an ip. Include this ip in the overload to the WAN.

Now source your domain lookups from this interface (ip domain-lookup source.....)

And test if that works
0
 
s-wAuthor Commented:
I found that those secondary addresses I removed are important in my case.
1) The ISP / cable modem needs them to be able to ARP and send traffic to the router
2) It appears that without the address on the interface, the DNS translation for the NAT traffic doesn't happen.  I had some internal DNS records get out to public DNS servers and that's the only explanation I can think of, and I can't afford to test it. Does that make sense?

On the original domain lookup problem, I added the loopback interface and assigned it an IP address.  I then decided to take one of my other static internet IP and use it for a dynamic NAT.  I included the loopback IP address in the access list for the NAT.  That made the router domain lookup work and it let me use the same internet IP for other router LAN clients.  So now that single internet IP is used for both internal router and client access to the internet.

Thanks for helping get to a complete solution.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Please note that for other services like ftp you need to specifiy the source interface seperately.

When you add nat statements the router should reply to arp statements, so i have no idea why removing the ip causes trouble.

The dns rewrite makes sense though. Do you know you can run your own dns server on your router?
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now