Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco IOS: ip domain lookup not working, possible NAT issue?

Posted on 2013-06-20
8
Medium Priority
?
918 Views
Last Modified: 2013-06-23
I have a working static NAT config but I've never been able to get ip domain lookup to work completely.  It works if I set it to use the LAN interface DNS server, but just times out if I use the ISP DNS server.  I've removed the ACLs to see if it was blocked somewhere and that didn't help.  Below is the portion of the config that I think could be relevant.

x.x.x is the LAN
y.y.y is the ISP

no ip source-route
ip domain retry 0
ip domain lookup source-interface FastEthernet0/0 <-- tried both 0/0 and 0/1
ip domain name nnn.mmm
ip name-server 8.8.8.8 <--- x.x.x.1 works for LAN DNS server
interface FastEthernet0/0
 description ISP
 ip address y.y.y.72 255.255.255.0 secondary
 ip address y.y.y.71 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address x.x.x.254 255.255.255.0
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip default-gateway y.y.y.1
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.y.1 permanent
ip nat inside source static x.x.x.1 y.y.y.71 extendable no-alias
ip nat inside source static x.x.x.2 y.y.y.72 extendable no-alias

Open in new window

0
Comment
Question by:s-w
  • 4
  • 4
8 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 800 total points
ID: 39263743
please try adding this (have not tested this myself):

ip nat inside source static udp x.x.x.254 53 y.y.y.71 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.72 53

The logic is that the DNS reply is NAT-ed to the x.x.x.1 ip address.

Please note that if this works the x.x.x.1 host cannot use an external DNS server anymore as the replies are processed by the Cisco.
0
 

Author Comment

by:s-w
ID: 39263948
Your logic makes sense but DNS traffic needs to go through the NAT for .71 and .72 so I can't test that without breaking it.

I tried adding this to the top of the ISP out ACL
 permit udp any host 8.8.8.8 log

and this to the ISP in ACL
 permit udp host 8.8.8.8 any log

I don't get any log entries when pinging using (8.8.8.8).  Is the NAT preventing the traffic from even going out to the ISP because it's not from x.x.x.1 or x.x.x.2 (the nat entries)?

I have other y.y.y addresses that don't need DNS traffic.  Is there a way to tell the domain lookup to use one of the secondary ip addresses as the source address (so I can use your config?
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 800 total points
ID: 39264012
as far as I know you can only specify a source interface and not a source IP.

I also wonder if own traffic originated from the Cisco is being logged by the ACL.

Why don't you change the primary IP of the interface to one which is not being natted?

FYI: You do not need to configure an IP address (as secondary) on an interface to use that IP for NAT.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:s-w
ID: 39264195
I tried adding the port 53 nats on another ip address and set the interface to that ip address also and it worked!  Also, I removed the secondary ip addresses (thanks again).

FYI, the dns traffic now shows up in the log from the earlier ACL.

The problem now is that when I add the "catch-all" nat after the dns entries the dns stops working.  Is there a way to add the 3rd nat entry to pass all other traffic?

ip nat inside source static udp x.x.x.254 53 y.y.y.73 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.73 53
ip nat inside source static x.x.x.3   y.y.y.73 <--- dns stops working when I add this line
0
 

Author Comment

by:s-w
ID: 39264319
It appears the problem is that the traffic coming back from 8.8.8.8 is going to a random client port that the router chose for the dns request, and that makes it fall into the 3rd entry.

Is there a way to set the dns resolver source port pool?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39264526
Maybe we can try another aproach.

Create a loopback interface, issue ip nat inside and give it an ip. Include this ip in the overload to the WAN.

Now source your domain lookups from this interface (ip domain-lookup source.....)

And test if that works
0
 

Author Comment

by:s-w
ID: 39266772
I found that those secondary addresses I removed are important in my case.
1) The ISP / cable modem needs them to be able to ARP and send traffic to the router
2) It appears that without the address on the interface, the DNS translation for the NAT traffic doesn't happen.  I had some internal DNS records get out to public DNS servers and that's the only explanation I can think of, and I can't afford to test it. Does that make sense?

On the original domain lookup problem, I added the loopback interface and assigned it an IP address.  I then decided to take one of my other static internet IP and use it for a dynamic NAT.  I included the loopback IP address in the access list for the NAT.  That made the router domain lookup work and it let me use the same internet IP for other router LAN clients.  So now that single internet IP is used for both internal router and client access to the internet.

Thanks for helping get to a complete solution.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269029
Please note that for other services like ftp you need to specifiy the source interface seperately.

When you add nat statements the router should reply to arp statements, so i have no idea why removing the ip causes trouble.

The dns rewrite makes sense though. Do you know you can run your own dns server on your router?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question