Cisco 877 Router No DNS Traffic

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

We had to failover a client today from there ASA on there main line onto a backup Cisco 877 for a branch site due to a circuit outage.

I have configured it remotely and the VPN tunnel back to our main site has come up and they can ping external addresses e.g. 8.8.8.8 or 4.2.2.2.

However we are unable to get any DNS resolution even if this is manually configured on a PC to use OpenDNS (208.67.222.222) rather than going across the VPN tunnel to our main site for DNS (10.29.0.3).

When I run show ip nat translations I can see traffic being nat'd any ideas?

Running config shown below


Current configuration : 6225 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging on
enable password narlicweso
!
aaa new-model
!
!
aaa authentication login userlogin local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3450236095
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3450236095
revocation-check none
rsakeypair TP-self-signed-3450236095
!
!
crypto pki certificate chain TP-self-signed-3450236095
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343530 32333630 3935301E 170D3032 30333031 30303037
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353032
33363039 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A034 04896B06 F492D5AC 3CECEDD6 CEAF464C FAE9746B 968B4892 501D8D14
D169B77B 033FD3EA 74606F5D FA9BA40C 5F59865A 6B5096A7 445F54EE F4AE190F
EE36769B 7351C194 6AA6B620 A5740EC9 D60836FF 2639B8A7 C790D45B 17451377
CA767147 596D8EC9 EA36614D E1B71251 39798302 4FB116EA DB751CC7 DB70B509
54230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 149FB676 B8EDABAF 4AB6E7AB E8D27E8B 5EE7C4DA
83301D06 03551D0E 04160414 9FB676B8 EDABAF4A B6E7ABE8 D27E8B5E E7C4DA83
300D0609 2A864886 F70D0101 04050003 8181009F A6F27F93 4F5E75F6 8898A1EB
F84B7087 382A92E9 7D2CBF6E D858C60C EAA8E0A0 E5EBA4E9 B16FE931 FD3DC2C9
6A999C9F D2217A07 9C2E98E3 B7F3EC56 DE6CD98A 6B17DFFF 5C093273 295DBE91
605BFD06 100992C1 2CDC4CC7 E2DC57C5 C49C2B31 AEF245A8 A31C7390 5DA5C495
18FACD03 93FC7D73 91171B6C 0941C22C 2EA12B
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.29.12.1 10.29.12.230
!
ip dhcp pool 0
network 10.29.12.0 255.255.255.0
default-router 10.29.12.10
dns-server 10.29.0.3 10.29.0.201
!
!
ip inspect tcp idle-time 86400
ip inspect name IOSFW ftp
ip inspect name IOSFW tcp
ip inspect name IOSFW udp
no ip domain lookup
ip domain name bemco.co.uk
ip name-server 10.29.0.3
ip name-server 10.29.0.201
!
!
!
username xxxxxx password xxxxxx
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 87.82.229.98 no-xauth
crypto isakmp keepalive 60
!
crypto isakmp client configuration group BEMUSERS
key oy51orgr964oeh
pool vpnpool
!
!
crypto ipsec transform-set Myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynamicvpn 1000
set security-association lifetime kilobytes 536870912
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set Myset
!
!
crypto map newcastle 10 ipsec-isakmp
set peer 87.82.229.98
set security-association lifetime kilobytes 536870912
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set Myset
match address 100
crypto map newcastle 1000 ipsec-isakmp dynamic dynamicvpn
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
timeout absolute 500 0
atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.29.12.10 255.255.255.0
ip access-group lantraffic in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address 84.21.128.89 255.255.255.254
ip access-group outside-in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password xxxxxx
crypto map newcastle
!
ip local pool vpnpool 172.31.254.1 172.31.254.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list nat interface Dialer0 overload
!
ip access-list extended idletime
ip access-list extended lantraffic
permit ip 10.29.12.0 0.0.0.255 any
permit udp host 0.0.0.0 host 255.255.255.255
permit ip 10.29.12.0 0.0.0.255 host 10.29.12.10
ip access-list extended nat
deny ip 10.29.12.0 0.0.0.255 10.29.0.0 0.0.0.255
deny ip 10.29.12.0 0.0.0.255 172.31.254.0 0.0.0.255
permit ip 10.29.12.0 0.0.0.255 any
ip access-list extended outside-in
permit icmp any any
permit ip 10.29.0.0 0.0.0.255 10.29.12.0 0.0.0.255
permit ip 172.31.254.0 0.0.0.255 10.29.12.0 0.0.0.255
permit udp any eq isakmp host 84.21.128.89
permit udp any host 84.21.128.89 eq isakmp
permit esp any host 84.21.128.89
permit ip host 87.85.95.131 host 84.21.128.89
permit ip host 87.82.229.98 host 84.21.128.89
deny ip any any log
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.29.12.0 0.0.0.255
access-list 23 permit 87.85.95.0 0.0.0.255
access-list 100 permit ip 10.29.12.0 0.0.0.255 10.29.0.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community bemco RO
snmp-server enable traps tty
no cdp run
!
!
!
control-plane
!
banner exec ^C ^C
banner login ^No Unauthorised Access^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
password narlicweso
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
end

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Think I may have found the answer being ip dns, but can't put this in place as ssh is locked down to our work IP only.

 

In your config, as posted above, the internal hosts won't be able to do much at all. On your dialer interface the access-list outside-in blocks almost all return traffic. There is a bit of config for the ios firewall but there is no inspection applieda to the dialer interface. You'll need to open the access-list, or better yet configure the ios firewall to handle the inspection and control of return traffic.

BTW you should immediately remove and change (on the router) some of the more sensitive bits in the posted config, there is far too much critical info in the clear...

Spice Weasel

 

Cheers mate!