special req. for DNS server behind nat with one-to-one nat? cisco7200

[epoxync]

At work, we have a cisco 7200 vxr router with some 1-to-1 nats on it (external ip <----> internal IP)

72.243.x.x external
172.16.0.x internal

We are delegated a whole C class and only use about 8 of them. I have a dns server on host 172.16.0.6 (72.243.212.6) for names.ehome411.net . It seems like the server is working, but it won't serve out host information contained in the zone file. The config has been verified at a friends house and a friends business, but does not work behind our router. I am not really a cisco guy and the cisco admin here is a new CCNA and doesn't know anything about network services other then what was taught.

After talking with numerous people and verifying my config and my firewall rules, they asked me about the NAT rules. I am not sure what they meant, so I figured i would get someone to take a look at the config to see if i need to do anything else..

http://72.243.212.6/run.txt

<-- there is the config. 1/4 of the config is old stuff that doesnt ever work, but the admin keeps it in there for some reason..

thanks!

 

[plshlpme]

if you log into the dns server and browse to

http://checkip.dyndns.org

do you get the result you think you should?

at first glance it looks ok i guess you should make sure your gateway settings are good on your server as well.

 

[trmg]

I wasn't able to go over your config, and am not a Cisco expert by any means, but here's how I'd go about things:

ip nat inside source static tcp 172.16.0.6 53 72.243.212.6 53

This command will take any DNS traffic on your external IP and forward it to your internal server.

Next, depending on how you have ACLs/Firewall configurations, you'll need to make sure that this traffic is being allowed to pass through the router. I have a very simple setup (being on a PPPoE DSL connection), but the way I accomplish this is:

access-list x permit tcp any any eq 53

x being the access list your WAN interface is associated with.

Now, ACL's work in the order they are configured. So if there is an entry that denys this type of traffic, you will need the above entry BEFORE that. I have found no easy way to do this except by re-entering the ACL commands in the order I want them. Another easier way is to use Cisco's SDM, if installed on your router. It'll allow you to enter new entries in any order you want. I actually hate SDM, but use it only for this reason lol.

I hope this helps any!

 

[brianinms]

TCP 53 is only used for zone transfers while DNS lookup uses UDP 53

 

[burtsbees]

No need for an acl in the router---it lets the traffic through without one. PIX would need an acl, not a router.

Burt

 

[ChrisAC]

TCP 53 isn't only used for zone transers. It's also used for DNS queries when the original reply is truncated. To allow DNS to work correctly you need to allow both UDP and TCP for DNS queries.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[epoxync]

ip nat inside source list 101 interface FastEthernet0/0.10 overload
................
ip nat inside source static 172.16.0.6 72.243.212.6
..............
!
!
access-list 2 permit 72.243.212.200
access-list 101 deny ip 97.66.10.96 0.0.0.15 any
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 199 permit tcp host 172.16.0.6 any eq telnet
access-list 199 permit tcp host 172.16.0.10 any eq telnet
!


that is the relevant config i guess. I'm really confused.. this same zone config works great on 4 other computers! none are behind a mighty cisco though..

any recommendations?

 

[brianinms]

Chris is correct, I shouldn't have used the term "only" instead I should have used the term "mainly".

 

[epoxync]

oh and the IP seems to be natted fine.. i go to

http://www.ipchicken.com

or something and my ip is 72.243.212.6, which is what it is supposed to be. (the router is .1)

also, i dont think i have any ACL's applied to that interface, so wouldn't there be an explicit allow all for it?

i still haven't gotten anywhere.. still searching though.

 

[epoxync]

oh, one more thing.. i can telnet to tcp port 53.. and it looks like it is open by other means.

I can dig

http://www.mydomain.com

and it queries names.mydomain.com fine and replies with the correct external IP... but the external host i am going the dig at doesnt get the reply

 

[brianinms]

I would have to see a copy of the configuration and the above link no longer works

 

[epoxync]

the above is the config retaining to that...

http://72.243.212.6/run.txt

&

http://www.epoxysbox.org/run

is the whole config (both the same thing.. incase one goes down.)

 

[brianinms]

Why in the world do you have private ip addresses and public IP addresses on the same interface? That configuration is painful to read for sure.

 

[plshlpme]

ya reading the config is a bit of a chore lol..
if you were to clean it up a little it will help to get this sorted out..
there is alot of config there that is associated to an interface that is shutdown..

 

[epoxync]

hehe i tried to up a few posts.. it's not my config i just know enough cisco to read a little of it and get my in trouble.. i'm not the cisco guy here, i just set up the services on the boxes
the cisco guy is fresh out of ccna and doesn't even grasp a lot of basic stuff ... but my boss is on my ass about this dns config so we can get it onsite.

i'll try to get with him later today and clean it up

 

[epoxync]

http://www.epoxysbox.org/run

until then.. here is a trimmed config.