Solved

Cisco IOS: ip domain lookup not working, possible NAT issue?

Posted on 2013-06-20
8
864 Views
Last Modified: 2013-06-23
I have a working static NAT config but I've never been able to get ip domain lookup to work completely.  It works if I set it to use the LAN interface DNS server, but just times out if I use the ISP DNS server.  I've removed the ACLs to see if it was blocked somewhere and that didn't help.  Below is the portion of the config that I think could be relevant.

x.x.x is the LAN
y.y.y is the ISP

no ip source-route
ip domain retry 0
ip domain lookup source-interface FastEthernet0/0 <-- tried both 0/0 and 0/1
ip domain name nnn.mmm
ip name-server 8.8.8.8 <--- x.x.x.1 works for LAN DNS server
interface FastEthernet0/0
 description ISP
 ip address y.y.y.72 255.255.255.0 secondary
 ip address y.y.y.71 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address x.x.x.254 255.255.255.0
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip default-gateway y.y.y.1
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.y.1 permanent
ip nat inside source static x.x.x.1 y.y.y.71 extendable no-alias
ip nat inside source static x.x.x.2 y.y.y.72 extendable no-alias

Open in new window

0
Comment
Question by:s-w
  • 4
  • 4
8 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 200 total points
ID: 39263743
please try adding this (have not tested this myself):

ip nat inside source static udp x.x.x.254 53 y.y.y.71 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.72 53

The logic is that the DNS reply is NAT-ed to the x.x.x.1 ip address.

Please note that if this works the x.x.x.1 host cannot use an external DNS server anymore as the replies are processed by the Cisco.
0
 

Author Comment

by:s-w
ID: 39263948
Your logic makes sense but DNS traffic needs to go through the NAT for .71 and .72 so I can't test that without breaking it.

I tried adding this to the top of the ISP out ACL
 permit udp any host 8.8.8.8 log

and this to the ISP in ACL
 permit udp host 8.8.8.8 any log

I don't get any log entries when pinging using (8.8.8.8).  Is the NAT preventing the traffic from even going out to the ISP because it's not from x.x.x.1 or x.x.x.2 (the nat entries)?

I have other y.y.y addresses that don't need DNS traffic.  Is there a way to tell the domain lookup to use one of the secondary ip addresses as the source address (so I can use your config?
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 200 total points
ID: 39264012
as far as I know you can only specify a source interface and not a source IP.

I also wonder if own traffic originated from the Cisco is being logged by the ACL.

Why don't you change the primary IP of the interface to one which is not being natted?

FYI: You do not need to configure an IP address (as secondary) on an interface to use that IP for NAT.
0
 

Author Comment

by:s-w
ID: 39264195
I tried adding the port 53 nats on another ip address and set the interface to that ip address also and it worked!  Also, I removed the secondary ip addresses (thanks again).

FYI, the dns traffic now shows up in the log from the earlier ACL.

The problem now is that when I add the "catch-all" nat after the dns entries the dns stops working.  Is there a way to add the 3rd nat entry to pass all other traffic?

ip nat inside source static udp x.x.x.254 53 y.y.y.73 53
ip nat inside source static tcp x.x.x.254 53 y.y.y.73 53
ip nat inside source static x.x.x.3   y.y.y.73 <--- dns stops working when I add this line
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:s-w
ID: 39264319
It appears the problem is that the traffic coming back from 8.8.8.8 is going to a random client port that the router chose for the dns request, and that makes it fall into the 3rd entry.

Is there a way to set the dns resolver source port pool?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39264526
Maybe we can try another aproach.

Create a loopback interface, issue ip nat inside and give it an ip. Include this ip in the overload to the WAN.

Now source your domain lookups from this interface (ip domain-lookup source.....)

And test if that works
0
 

Author Comment

by:s-w
ID: 39266772
I found that those secondary addresses I removed are important in my case.
1) The ISP / cable modem needs them to be able to ARP and send traffic to the router
2) It appears that without the address on the interface, the DNS translation for the NAT traffic doesn't happen.  I had some internal DNS records get out to public DNS servers and that's the only explanation I can think of, and I can't afford to test it. Does that make sense?

On the original domain lookup problem, I added the loopback interface and assigned it an IP address.  I then decided to take one of my other static internet IP and use it for a dynamic NAT.  I included the loopback IP address in the access list for the NAT.  That made the router domain lookup work and it let me use the same internet IP for other router LAN clients.  So now that single internet IP is used for both internal router and client access to the internet.

Thanks for helping get to a complete solution.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269029
Please note that for other services like ftp you need to specifiy the source interface seperately.

When you add nat statements the router should reply to arp statements, so i have no idea why removing the ip causes trouble.

The dns rewrite makes sense though. Do you know you can run your own dns server on your router?
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now