Challenging question about DNS and NAT!! Need Help!!!

[rburke]

Hello all,

I've ran into another problem that hopefully someone can help me with. The problem is that no one from outside my network can query my DNS server that is behing my Cisco that is providing NAT. The DNS has a static private IP and I've forwarded port 53 for both TCP and UDP. This works just fine for the zone transfers to the slave DNS servers out there, but if you try to query it will timeout.
I know that the query is reaching my DNS server becuase I see it issuing a response, but it just isn't getting back. I ran some debug commands and found that I'm getting the following erros when the DNS response tries to go back to the client(IP's change to protect the innocent):
<B>
3w0d: ICMP: dst (22.22.22.22) host unreachable sent to 11.11.11.11
3w0d: ICMP: dst (22.22.22.22) host unreachable sent to 11.11.11.11
</B>
Where 11.11.11.11 is my WAN IP, and 22.22.22.22 is the IP of the client.

I've checked my NAT tables and they all seem to be in order. I really need to get this solved, I'd appreciate ANY help.

Thanks,

Burke

 

[ChrisAC]

Do you have a default route on your router? What about posting the config?

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[rburke]

Sure, here's my config. I obviously have other forwarded prots, but they work just fine. Please help me out. Thanks.

Current configuration : 3746 bytes
!
! Last configuration change at 14:23:04 CST Fri Mar 21 2003 by
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname p.gateway
!
no logging on
enable secret 5 something
!
clock timezone CST -6
clock summer-time DST date Apr 7 2002 0:00 Oct 27 2002 0:00
ip subnet-zero
no ip finger
ip name-server 24.93.35.62
ip name-server 24.93.35.63
ip name-server 24.93.40.62
ip name-server 24.93.40.63
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool J101
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 24.93.35.62 24.93.35.63
lease 0 2
!
no ip dhcp-client network-discovery
!
!
!
!
interface Ethernet0
mac-address 0001.031f.928b
ip address dhcp
ip nat outside
no cdp enable
!
interface Ethernet1
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
interface Serial0
ip address 172.16.1.1 255.255.255.0
no fair-queue
clockrate 64000
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static udp 10.10.10.21 53 interface Ethernet0 53
ip nat inside source static tcp 10.10.10.21 13016 interface Ethernet0 13016
ip nat inside source static tcp 10.10.10.21 13017 interface Ethernet0 13017
ip nat inside source static tcp 10.10.10.21 13018 interface Ethernet0 13018
ip nat inside source static tcp 10.10.10.21 13019 interface Ethernet0 13019
ip nat inside source static tcp 10.10.10.21 13020 interface Ethernet0 13020
ip nat inside source static tcp 10.10.10.21 13015 interface Ethernet0 13015
ip nat inside source static tcp 10.10.10.21 13014 interface Ethernet0 13014
ip nat inside source static tcp 10.10.10.21 13013 interface Ethernet0 13013
ip nat inside source static tcp 10.10.10.21 13012 interface Ethernet0 13012
ip nat inside source static tcp 10.10.10.21 13011 interface Ethernet0 13011
ip nat inside source static tcp 10.10.10.21 13010 interface Ethernet0 13010
ip nat inside source static tcp 10.10.10.21 13009 interface Ethernet0 13009
ip nat inside source static tcp 10.10.10.21 13008 interface Ethernet0 13008
ip nat inside source static tcp 10.10.10.21 80 interface Ethernet0 80
ip nat inside source static tcp 10.10.10.21 22 interface Ethernet0 22
ip nat inside source static tcp 10.10.10.1 23 interface Ethernet0 23
ip nat inside source static tcp 10.10.10.21 21 interface Ethernet0 21
ip nat inside source static tcp 10.10.10.21 20 interface Ethernet0 20
ip nat inside source static tcp 10.10.10.21 13005 interface Ethernet0 13005
ip nat inside source static tcp 10.10.10.21 13006 interface Ethernet0 13006
ip nat inside source static tcp 10.10.10.21 13007 interface Ethernet0 13007
ip nat inside source static tcp 10.10.10.21 53 interface Ethernet0 53
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
logging trap debugging
access-list 1 permit any
!
snmp-server engineID local <something>
snmp-server community something RW
snmp-server community something RO
!
line con 0
exec-timeout 60 0
logging synchronous
transport input none
line aux 0
line vty 0 4
password 7 <password>
logging synchronous
login local
!
ntp clock-period 17179994
ntp peer 129.7.1.66 prefer
end

 

[rburke]

Any help?
I'd really appreciate it!

Burke

 

[autosoftie]

See

http://www.linuxgazette.com/issue50/tag/1.html

and

http://www.intac.com/~cdp/cptd-faq/section2.html#ports

 

[rburke]

Ok, I understand how DNS works, but my problem is with it going through NAT. Or, that people have to query my server that is behing a Cisco router doing NAT. Like I said, all the destination port forwarding is done, but when it tries to respond to the client it gives a ICMP Host unreachable.

Did I miss something in those articles? Let me know...

Burke

 

[wybnormal]

Verify the NAT table is correct..

show ip nat translation

Verify the order of the NAT relative to the routing.

The routing has to be there first or NAT will fail. What you might try is to set up a static route that points DNS to the next hop router (gateway) instead of using the any any to E0. It's been might experience that specifiying a interface doesnt always work right, specifying an IP works better in the long run.

http://cco-rtp

1.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

MikeS


Find me at

http://www.packetattack.com

&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu

 

[rburke]

Thanks for the responses, I've tried everything that everyone has suggested and it still isn't working. I tried specifying my default gateway as the default route, and all NAT translations seem to be ok.


Pro Inside global Inside local Outside local Outside global
------------------------------------------------------------
udp 11.11.11.11:53 33.33.33.33:53 22.22.22.22:40992 22.22.22.22:40992

Where 11.11.11.11 is my WAN IP, 33.33.33.33 is the internal IP of the DNS server, and 22.22.22.22 is the client. I get the same error as in the original post, Destination Host unreachable.

If anyone has any other ideas I'd appreciate it. Also, I'm using IOS, Version 12.2(1d). Is anyone else is running a similar setup with an internal DNS server behing NAT and having the router forward the DNS queries to the internal IP address? If so can you post what IOS you are using. I'm thinking it might be an IOS issue, but I'm open to suggestions, I'll see what I can do about getting a newer version, maybe 12.2(10), or 12.2(12).

Thanks again for all the continuing help,
Burke

 

[matt95gsr]

I had the same problem on one of my routers. I eventually had to point all of the workstations to use a server on the internal net that was running dns, and just set it to forward. The only static translation running to that server was an entry for smtp, but it could resolve external dns requests just fine, where nothing else could, so I ended up having to just set it to do a little dns forwarding. I'm not sure what happened there, the issue really just showed up overnight, and Cisco was of no assistance in the matter either. I'm sure this doesn't help, but I thought I'd throw my experience out there.

Matt.