Can't reslove domain names through firewall 2

[Niall22]

Hi guys,

I have a Cisco 2600 series router and I'm not 100% sure which ports I need to allow through my firewall for domain name resolution. When the firewall is down the router resolves ip's fine. But when the firewall is up it doesn't. I am permitting UDP and TCP packets on port 53 to go through but it still won't resolve ip's to domain names.

My ACL is defined as follows:

access-list 101 permit tcp any any eq 53
access-list 101 permit udp any any eq 53

Am I missing a port that is needed? I'm sure this is something simple. Your help is greatly appreciated.

Niall

 

[sobak]

Should work, What I would do is enable logging on the router then modify the ACL as follows....

access-list 101 permit tcp any any eq 53 log
access-list 101 permit tcp any any eq 53 log
access-list 101 deny ip any any log

This will log any denied or permitted traffic to see where the blockage is. I use the log command a lot when dealing with ACL's

david e

 

[wybnormal]

David is quite correct... the log function is VERY useful for both troubleshooting and monitoring ACLs and the effects.

MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

Unfortunately, I am self taught when it comes to Cisco equipment and I have never tried to enable logging or debugging. If you guys could let me know what command enables logging and how I can view the log afterwards that would be great! I've tried to find info on debugging before but finding the appropriate technical articles on Cisco's website is like finding a needle in a haystack sometimes.

Thanks again,

Niall

 

[sobak]

So true about Cisco's Web site. Here is how I have my routers configured.

Logging buffered 4096 debugging

This should allow any of the ACL's to log to a log file

To view the log you can do it from the telnet console by typing....

Sho log

this will show you where the breakdown is. Let me know if you have any questions...

david e

 

[sobak]

The logging buffered command should be done from the global config (config t) Sorry I didn't add that in last time....

david e

 

[wybnormal]

Also, you can find yourself a syslog server damon for NT or use a builtin server with Unix. This way the messages are sent to the logserver instead of you having to login to router. And if you have a small log file ( to save RAM), you will still catch everything.

Try

http://www.kiwi-enterprises.com/software_downloads.htm

for a few demo and cheap purchase. I've used it for 2 years now and have been very happy with it.

MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

Well, I have tried what you guys suggested but I can't see anything in the log.

By the way, DNS works fine from computers within my network just not from the router itself, unless my firewall is disabled. I still don't see what could be blocking DNS queries. Here's my config:

version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
logging buffered 4096 debugging
no logging console
enable secret 5 xxxxxx
!
!
!
!
!
clock timezone EST -4
ip subnet-zero
ip name-server x.x.x.x
!
ip inspect name FastEthernet_0_1 smtp
ip inspect name FastEthernet_0_1 ftp
ip inspect name FastEthernet_0_1 tcp
ip inspect name FastEthernet_0_1 udp
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxxxx address x.x.x.x
crypto isakmp key xxxxxx address 0.0.0.0
crypto isakmp client configuration address-pool local dhcppool
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map cryptomap client configuration address initiate
crypto map cryptomap client configuration address respond
crypto map cryptomap 1 ipsec-isakmp
set peer x.x.x.x
set transform-set trans1
match address 100
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
description Conneted to EtherLAN
ip address 10.2.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description Connected to Internet
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect FastEthernet_0_1 in
ip inspect FastEthernet_0_1 out
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map cryptomap
!
ip local pool dhcppool 10.2.3.5 10.2.3.254
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
no ip http server
!
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 101 permit icmp any any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit udp host x.x.x.x any
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.3.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit icmp any any log
access-list 101 permit udp any any eq domain log
access-list 101 permit tcp any any eq domain
access-list 105 deny ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 105 deny ip 10.2.1.0 0.0.0.255 10.2.3.0 0.0.0.255
access-list 105 permit ip 10.2.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 105
!
snmp-server engineID local 0000000902000002166639E0
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 xxxxxx
login
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 xxxxxx
login
!
ntp clock-period 17180334
ntp server x.x.x.x
end

That's my whole config... I've left nothing out.

When I tried to view the log by typing "sh log", I got the following:

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 6 messages logged
Trap logging: level informational, 21 message lines logged

Log Buffer (4096 bytes):

05:14:54: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)
05:22:53: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)
05:28:39: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)
05:29:11: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)
05:30:58: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)
05:35:32: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.1.108)

When I type "sh access-list 101" I don't see any matches for the DNS ports that I opened. I don't think I should even need them because the router is actually initiating the request, not some outside source.

Do you guys see anything that might be blocking DNS queries to my ISP's DNS server??? Am I missing something is my access lists?

Thanks again.

 

[sobak]

At the end of the 101 ACL if you place a...

deny ip any any log

it will show you what was denied and where. There is a implicit Deny statement at the end of the ACL anyway, placing it in there will give you a chance to see where the blockage is then you can see it.

One question.... I don't see an entry in your ACL for your Ethernet0/1 port. I am sure this is running on an external address. On your ACL you only have your WAN address, if you want to resolve host names at the router (if I understand correctly) you will need an ACL for your WAN Address to allow port 53 as well. Since the original request came from the external address coming back in the ACL would block it from the Ethernet0/1 interface and drop the packet.

WYB....you see anything I'm missing?

david e

 

[Niall22]

After checking the log now I discovered the following entry which seems to shed some light on the problem.

06:22:53: %SEC-6-IPACCESSLOGP: list 101 denied udp x.x.x.x(53) -> y.y.y.y(57829), 1 packet

Where x = ISP DNS server and y = My external IP address

It seems that the DNS packets originate from UDP port 53 but once they reach the router they try to come in on UDP port 57829. Is there some way to allow UDP packets that originate from port 53 no matter what port they try to come in on? I thought the ip inspect command would do that for me... is something setup wrong there?

Sobak, I didn't quite understand what you were trying to tell about my ACLs on your last post. FastEthernet0/1 is connected to the Internet and has an external IP. I do not have any ACL set up for my other ethernet port which is connected to my private network. I am only filtering traffic from the Internet, I don't really care about traffic within my network. I am assuming by WAN interface you mean my internal connection... if I don't have an ACL enabled for that port then why would I have to include an statement in my ACL for allowing DNS packets to reach it?

I think you guys almost have this one licked.

Thanks a bunch.

 

[sobak]

Sorry about that, I refer to all my Internet Interfaces as WAN since I run VPN's over them. Actually what I mean by that is.....

1. you have an ACL connected to Ethernet0/1 101 in.
2. In the ACL's I see your 10.0.0.0 network but not one for your Ethernet0/1 interface.

If you attempt to look up a host name from your router what I believe would happen to the packet is this....

1. Packet would leave your router to your ISP DNS.
2. ISP DNS would send a the packet back with a destination of your Ethernet Interface (external address)
3. Before your router does anything with the packet, it checks the ACL and matches the destination address to the ACL.
4. Since the Destination Address is your ethernet interface, and that interface is not in your ACL's it would drop the packet. Adding the ethernet interface in the ACL would allow the router to accept the packet.


This is of course if I am correct. I am pretty much self taught Cisco but routers are a way of life with me. I am the only one that understands my ACL's in my company. I'm afraid if something happened to me they would have to tear them down and start over.

Now of course this is if I understand what you are trying to do. From what I understand you are trying to resolve a host name at your router. Your computers sitting on the 10.0.0.0 network don't have any problems resolving host names. Only when you try to resolve it at the router with the ACL up is where you are having a problem? Are we on the same page? If not let me know, I've been known to go off on trips that leave me alone in the woods

david e

 

[Niall22]

David,

You are correct about what I am trying to accomplish. The reason I want my router to be able to resolve domain names to ip addresses is because our cable company changes ip our ip addresses on us occaisionly and then we have to change our router configuration. If I can use domain names instead ip addresses all my problems will be solved.

I don't know if what you think is wrong is actually my problem. If you look at the statement captured in the log (posted earlier on) it shows that the packets being denied are originating from my ISP's DNS server on port 53 and are destined for my EXTERNAL ip on port 57829. I believe the problem lies there. In my ACL I am allowing port 53 only not some higher port numbers like 57829 which are assigned randomly. I need to find a way to allow those higher port numbers which are random. Should I use a range of port numbers or just allow all traffic from my ISP's DNS servers?

 

[sobak]

Sorry I forgot that about the sho log you posted....

Try this one....

Access-list 101 permit ip host (ISP) host (router) any

of course adding in the ip address of your ISP DNS and Router. This will allow any IP Traffic from one host to another, but deny anything else from attempting to break in. I don't know if there is a better way of doing it but that is how I connect to all my routers from home (I have a static IP Address on a DSL line) It will allow me to connect to my router but if anyone else attempts a connection it will deny them. You are basically opening up a full line of communication between you and your ISP's DNS. I believe this should work, let me know and I'll lead us to a totally different part of the woods

 

[wybnormal]

And David.. you think you are alone with this?? hahahahaha... there are a good many companies that would be hating life if they suddenly lost their router "expert". I pointed out to a friend its not the CEO, CFO, CIO etc..etc.. that controls the company.. it's the geeks that make everything more or less work ;-)
MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[sobak]

wyb....

True....so very very very true....LOL

 

[Niall22]

I added this line to my ACL:

permit udp host DNS-Server eq 53 host External-IP any

This way only traffic initiated on UDP port 53 will be allowed through the firewall instead of all traffic from my DNS server... It works great now!

Thanks a bunch guys... you've been a great help.

Is it possible to change any references to IP addresses in my configuration into domain names in case the IP addresses change? I tried this in one of my ACLs but it seemed to just translate the domain name into an IP and used that instead.

 

[sobak]

GREAT!!!! I've been on Tek-tips for about 6 months now and just love it. Great forum to get answers to those tough questions.........

Happy routing

david e