cisco 1720 router dns issue

[scottie4442]

I am a Computer Network Instructor at a 2 year college. We have a lab setup here so that we can simulate a large network environment. I have the lab completely up except for the fact that it will not pass DNS info to the clients.

Ok, let me explain how the network is connected, I am going to describe just one lab area, there are 4 total but they are all doing the same thing. There is an external connection to the rest of campus, connected to this is a server, main, acting like a firewall/webserver (this is working perfectly no problems at all). The main server is connected to one side of a cisco 1720 (router0), e0, and the other side of router0, f0, is connected to a switch, unmanaged. From the switch a connection goes to the router for area 1, again a cisco 1720 named router1 port e0. The other side of the router, f0, is connected to another unmanaged switch. This switch has a server and 3 clients connected to it. This is the physical connections.

Now for the actual setup:

main server e0 - 10.x.x.x (dhcp from student network on campus)
e1 - 192.168.10.10 (connects to f0 on router0)

router0 e0 - 192.168.0.10 - connects to switch and the rest of the network
f0 - 192.168.10.1 (connects to server main)

router1 e0 - 192.168.0.11 (connects to router0 through switch)
f0 - 192.168.1.1 (connects to switch and "network 1")


problem desciption:

router0 - works fine through the main server, firewall, will ping a symbolic name fine. have access-lists setup to allow all.

router1 - will ping numeric ip address fine, but will not do dns resolution. Also has access-list that allows all.


Please let me know if you need anymore info to help with this.

To restate the problem, I am trying to figure out why the main router will not pass dns traffic from router1 through router 0 then through server main to the student network.

I do know how to work on Cisco routers and IOS, it has just been a while since I have had to set one up from scratch.

Thanks for the help

Scott Adams
Computer Networking Instructor
Southeast Arkansas College

 

[burtsbees]

On the router that does not seem to forward dns resolution, do you have "no ip domain-lookup" config'd on it, so that when there's a typo, you won't get a message like...
looking up "whoops" domain server 255.255.255.255
or whatever it says? If this command is not enabled, maybe you can go to the priv exec prompt and type a typo and see what dns server it tries to connect to to try to resolve the name. Or, ping

http://www.google.com

from the router to see if it tries to resolve the domain name. Also, does the dns not work from the router, or is it from the pc? If the result is what you have configured, I would say that it could be an acl issue.

Burt

 

[chipk]

Do you have the following on that router1 config?

ip domain-lookup
ip name-server xxx.xxx.xxx.xxx

Looks like you have two symptoms, but probably the same problem. One is that your router1 can't ping by name (but should be able to), the other is that clients beyond router1 cannot ping by name either. Am I reading that correctly?

To confirm it's not a access list or firewall blocking access, you can do a "telnet *dnsserver ip* 53" to the DNS server to see if you can get a connection on port 53. If that works, it's not a network issue, but probably a config issue with DNS or DHCP or something. If you post both configs (sanitized) then it would probably be easier to determine where the problem is.

 

[burtsbees]

Oh wait...could be an ip helper address issue, as routers by default do not forward broadcasts...

Burt

 

[chipk]

Normal DNS traffic should be unicast...if you have a name-server config'd.

 

[scottie4442]

Router0 is connected behind the firewall, server main is the firewall/etc for this network. I do have ip domain-lookup on both router0 and router1, router 0 can ping

http://www.google.com,

but router1 and the clients attached to it cannot ping anything but numeric addresses. I did an access-list 1 permit any and put it on both interfaces both in and out on both routers. I will try the telnet command and see if what results I get for it and post them here. Is there anything other info that would help here?

Scott Adams

 

[chipk]

If you're not able to telnet to your dns server on port 53, then the problem is more than likely that you're blocking that somewhere. Does your firewall have 192.168.1.0 network config'd identically to 192.168.10.0 network, i.e. do you have all the same allow statements, etc. in your acls?

If you don't have any other ACLs configured, then the "allow" access list won't be doing anything for you.

 

[scottie4442]

I ran the telnet 10.x.x.x 53 command, router0 reached the dns server fine, but router 1 said server unreachable.

Here are all the results of the show command:

router0

show run

Building configuration...



Current configuration : 1103 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router0

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$iPAe$E6efWyay.1gE8/abp/0Tq.

enable password seark

!

memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

ip domain name seark.edu

ip name-server 10.0.0.1

!

ip cef

!

!

!

!

interface Ethernet0

ip address 192.168.0.10 255.255.255.0

ip access-group 1 in

ip access-group 1 out

ip nat inside

half-duplex

!

interface FastEthernet0

ip address 192.168.10.1 255.255.255.0

ip access-group 1 in

ip access-group 1 out

ip nat outside

speed auto

full-duplex

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

router rip

network 192.168.0.0

network 192.168.10.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.10

ip route 192.168.10.0 255.255.255.0 192.168.10.1

no ip http server

!

!

access-list 1 permit any

!

!

line con 0

line aux 0

line vty 0 4

password 1900hazel

login

!

end



router0#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is 192.168.10.10 to network 0.0.0.0



C 192.168.10.0/24 is directly connected, FastEthernet0

R 192.168.4.0/24 [120/1] via 192.168.0.14, 00:00:21, Ethernet0

C 192.168.0.0/24 is directly connected, Ethernet0

R 192.168.1.0/24 [120/1] via 192.168.0.11, 00:00:07, Ethernet0

R 192.168.2.0/24 [120/1] via 192.168.0.12, 00:00:21, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.10.10

router0#show int

Ethernet0 is up, line protocol is up

Hardware is PQUICC Ethernet, address is 0004.dd0c.d551 (bia 0004.dd0c.d551)

Internet address is 192.168.0.10/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 10BaseT

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 2000 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

663616 packets input, 243729921 bytes, 0 no buffer

Received 661649 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

328730 packets output, 31229714 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 24 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

FastEthernet0 is up, line protocol is up

Hardware is PQUICC_FEC, address is 0002.1761.b489 (bia 0002.1761.b489)

Internet address is 192.168.10.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 03:39:08, output 00:00:07, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

247 packets input, 18692 bytes

Received 10 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

330073 packets output, 35392032 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Serial0 is administratively down, line protocol is down

Hardware is PowerQUICC Serial

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLC, loopback not set

Keepalive set (10 sec)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/32 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 96 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=down RTS=down CTS=down



Serial1 is administratively down, line protocol is down

Hardware is PowerQUICC Serial

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLC, loopback not set

Keepalive set (10 sec)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/32 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 96 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=down RTS=down CTS=down

router0#



router 1


show run

Building configuration...



Current configuration : 987 bytes

!

version 12.3

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$P6dQ$QPFb6GuTcko3cFvR2oHaS/

!

memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

ip domain name seark.edu

ip name-server 10.0.0.1

!

ip cef

!

!

!

!

interface Ethernet0

ip address 192.168.0.11 255.255.255.0

ip access-group 1 in

ip access-group 1 out

half-duplex

!

interface FastEthernet0

ip address 192.168.1.1 255.255.255.0

ip access-group 1 in

ip access-group 1 out

speed auto

full-duplex

!

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

router rip

network 192.168.0.0

network 192.168.1.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.10

no ip http server

!

!

access-list 1 permit any

!

!

line con 0

line aux 0

line vty 0 4

end



router1#showip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is 192.168.10.10 to network 0.0.0.0



R 192.168.10.0/24 [120/1] via 192.168.0.10, 00:00:15, Ethernet0

R 192.168.4.0/24 is directly connected, FastEthernet0

C 192.168.0.0/24 is directly connected, Ethernet0

C 192.168.1.0/24 [120/1] via 192.168.0.11, 00:00:15, Ethernet0

R 192.168.2.0/24 [120/1] via 192.168.0.12, 00:00:03, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.10.10



router1#show int

Ethernet0 is up, line protocol is up

Hardware is PQUICC Ethernet, address is 0004.dd0c.d541 (bia 0004.dd0c.d541)

Internet address is 192.168.0.14/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 10BaseT

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:02, output 00:00:04, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 1000 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

282717 packets input, 119204618 bytes, 0 no buffer

Received 282578 broadcasts, 0 runts, 0 giants, 0 throttles

12 input errors, 0 CRC, 0 frame, 0 overrun, 12 ignored

0 input packets with dribble condition detected

79012 packets output, 7494547 bytes, 0 underruns

12 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 10 deferred

12 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

FastEthernet0 is up, line protocol is up

Hardware is PQUICC_FEC, address is 0002.1761.b48f (bia 0002.1761.b48f)

Internet address is 192.168.4.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:11, output 00:00:06, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

8490 packets input, 1206575 bytes

Received 7009 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

77745 packets output, 8514229 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Serial0 is administratively down, line protocol is down

Hardware is PowerQUICC Serial

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLC, loopback not set

Keepalive set (10 sec)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/32 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 96 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=down RTS=down CTS=down



Serial1 is administratively down, line protocol is down

Hardware is PowerQUICC Serial

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation HDLC, loopback not set

Keepalive set (10 sec)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/32 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 96 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=down RTS=down CTS=down



router1#

 

[chipk]

For future reference, you'll want to "sanitize" your configs when posting online. You have your passwords in there, along with your domain name, whihc makes you easy to identify.

Anyway, I think the problem is not in your router configs, but that your firewall is blocking the network on router1 (192.168.1.0).

Try an extended traceroute from router1. Just type traceroute, type the target ip, specify the port 53, and just leave all the other options at default by hitting enter, like so:

switch1#traceroute
Protocol [ip]:
Target IP address: xxx.xxx.xxx.xxx
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]: 53
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.

Wherever it stops, the next "hop" is where you're getting blocked. For instance if you do this and you get a response from router0, but then times out before it hits the firewall, you'll know the blocking is happening beyond router0, and thus likely is the firewall.

 

[scottie4442]

Ok tried the traceroute, router1 will not get past the interior port on router0, in other words I get no results from tracerouter on router 1. It looks like router0 is denying all traffic except icmp.

 

[scottie4442]

Here is a rough drawing of the setup.

__________________
| | 10.x.x.x
| |___ to outside network
| main server | (student network)
| |
------------------
| 192.168.10.10
|
| FastEthernet0 - 192.168.10.1
____________
| |
| router0 |
| |
------------
|
| Ethernet0
| 192.168.0.10
.
. (and internal switch, does not effect)
.
| Ethernet0
| 192.168.0.11
___________
| |
| router1 |
| |
-----------
|
| FastEthernet0
| 192.168.1.1
.
. (connection to server
. and clients through switch)
. 192.168.1.0/24

 

[chipk]

Well, a couple things. An access list that has only a "permit any" statement is pretty useless. All it's doing is increasing the load on your processor.

In your previous post, do you get a response from router0 with the traceroute, or do you get * * * (asterisks/timeouts)?

This will make a difference. As I said, I think the traffic is getting blocked at your firewall, which you don't actually have in your drawing.?.? We need good info in order to troubleshoot this.

The picture I have in my head is this:

clients ---> l2switch ---> router1 ---> l2switch ---> router0 ---> Firewall??? ---> Internet

The other thing that's throwing me off is why you have a static route on router1:

ip route 0.0.0.0 0.0.0.0 192.168.10.10

A static route should really be pointing to the next hop IP, which on router1 would be just out eth0:

ip route 0.0.0.0 0.0.0.0 ethernet0

or the next router, which is:

ip route 0.0.0.0 0.0.0.0 192.168.0.10

I'm assuming 192.168.10.10 is your firewall? The only reason this could be working for you is that you know about this network via RIP, so you are still able to route to it, but this really isn't correct. Since your DNS is probably on the internal network, I'm thinking maybe what's happening is you're routing "past" the DNS server, and never able to hit it from hosts on "network1". I could be wrong, but I think if you change that, DNS will start working for you.

 

[helpdeskdan]

Does the traffic have a route back? How does 10.x.x.x know how to get to router 1?

 

[chipk]

It knows about it via RIP. Look at his routing table on router0, 2nd RIP route from the top:

router0#show ip route
....
Gateway of last resort is 192.168.10.10 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, FastEthernet0
R 192.168.4.0/24 [120/1] via 192.168.0.14, 00:00:21, Ethernet0
C 192.168.0.0/24 is directly connected, Ethernet0
R 192.168.1.0/24 [120/1] via 192.168.0.11, 00:00:07, Ethernet0
R 192.168.2.0/24 [120/1] via 192.168.0.12, 00:00:21, Ethernet0
S* 0.0.0.0/0 [1/0] via 192.168.10.10

 

[chipk]

Looking at it again, I'm sure changing that static route on router1 will fix the problem. There's something funky with that.

 

[scottie4442]

One the traceroute question all I get is * * *. As for the routing issue, I know how to do this and yes they can all see each other, at least the ones that I have shown here, not sure about 10.x.x.x, it does work for another classroom that I have setup with a firewall and cisco router, and I did not have to get nearly as complicated as this to get it working (yes I have tried to swap the router for the other classroom with router0 but still no luck). As for the firewall, main server is the firewall, I am running Fedora Core 6 on it and have fwbuilder installed, and yes I did turn off SELinux and the built in firewall of Fedora Core. As for the 192.168.10.10 and/or 192.168.0.10 routing issue, I have tried both and neither one works. I agree that the access-list permit any is redundant, I thought 1700's default to permit any, but not in this instance.

 

[chipk]

Sorry, helpdeskdan, I misunderstood your question, and obviously gave the incorrect answer. I think you're on the right track.

Scottie - can you print the routes on the server and post them?

 

[scottie4442]

I will look into it, I know I can list the routes and save them to a file, but have to see if I can get the file off of the server, I will post it as soon as I have it.