Problem with DNS NAT on a Cisco 1721

[PDSI]

Hey All,

I may be barking up the wrong tree but since I am by no means an expert on Cisco i'm gonna see if this is the culprit. I have an DNS Server (WinNT 4) that is doing all of my DNS for my company. Our Internal IP address Scheme is a 192.168.1.XXX setup. The DNS Servers IP is 19.168.1.1 and the Inside router IP is 192.168.1.254 . The Problem I am having is that DNS is working beautifully internaly and I have no issues, but if someone on the outside world tries to nslookup using my server or just used my server in general they get a DNS timeout. Now i have the NAT set up for UDP port 53 and TCP port 53. On my 1605 I had prior this worked fine but since I installed and configured from scratch our new 1721 this hasnt worked. If you see any reason why this isnt working or you see some other huge mistake please by all means let me know. Thank you all in advance for any help or thoughts on this one.

Here is the Running-Config:

Building configuration...

Current configuration : 1404 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco1721
!
enable secret 5 [Hidden For Security Purposes]
enable password [Hidden For Security Purposes]
!
ip subnet-zero
!
!
!
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.29.229.218 255.255.255.252
ip access-group 1 in
ip access-group 1 out
ip nat outside
service-module t1 timeslots 1-24
!
ip nat pool net-2 216.29.229.218 216.29.229.218 netmask 255.255.255.252
ip nat inside source list 1 pool net-2 overload
ip nat inside source static udp 192.168.1.1 53 216.29.229.218 53 extendable
ip nat inside source static tcp 192.168.1.10 80 216.29.229.218 80 extendable
ip nat inside source static tcp 192.168.1.130 3389 216.29.229.218 69 extendable
ip nat inside source static tcp 192.168.1.2 1494 216.29.229.218 1494 extendable
ip nat inside source static tcp 192.168.1.2 3389 216.29.229.218 3389 extendable
ip nat inside source static tcp 192.168.1.130 21 216.29.229.218 21 extendable
ip nat inside source static tcp 192.168.1.1 53 216.29.229.218 53 extendable
ip classless
no ip forward-protocol udp domain
ip route 0.0.0.0 0.0.0.0 216.29.229.217
no ip http server
!
!
access-list 1 permit any
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password [Hidden For Security Purposes]
login
!
end

 

[tschouten]

You want to turn on ip forward-protocol udp domain
this is what is stopping your DNS from occuring on the outside.

Terry

 

[PDSI]

Terry,

I gave that a shot but it didn't seem to have any affect on it. Anthing else I might need to do in tandium with that?
Thanks...

Jared

 

[tschouten]

Try using the
ip debug nat detailed
see if you see any responses for DNS try and pin down where the problme is happening.

 

[marsd]

You need to make your internal dns server use a forwarder.
(I am no expert with MS dns since they take liberties with
the standard and I have seen evidence of it being unreliable and inflexible in the past)
This is simple with my *nix servers using bind:
A single line designating:
forwarders = {outside address 1; outside address 2;};

Good Luck

 

[tschouten]

I'm not too familiar with MS DNS either, from what I see in the configs it should be working properly. The ports are open and it should be forwarding them.

 

[PDSI]

The internal DNS dosn't need to use a forwarder, its not forwarding to an external DNS server for resolution. It should just work as it is and the ports are open. Its very odd. I am working on looking at the debuging to see what that has to say. I even went so far as to packet sniff the traffic and I can see the request going to the DNS server and it responding, it almost seems like the process is just taking to long, would there be a router setting that would casue a delay in network traffic flowing through the router?

 

[tschouten]

Good guess, you may want to try CEF (Cisco Express Forwarding)

 

[tschouten]

Hmmmmmmmm, thinking, try creating an ACL the permits any host eq 53 to that address and setting it up as outbound from the inside address (eth0). (Just wondering is all)

you could try your acl-1 going out on eth0 seing as it's a permit any..(you shouldn't have to do this but I'm stabbing at the air here)

 

[bierhunter]

The config looks good to me too.

But I've had similar problems in the past as well. What I had to do on one router I was working on was to eliminate the extendable static mappings and just do a full static NAT assignment to that server. Then set up an access-list to restrict what traffic can go to it. It started talking after that.

It didn't make sense, but it worked.

Good luck.