1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 877 Router No DNS Traffic

Discussion in 'General Cisco Certifications' started by craigie, Apr 29, 2010.

  1. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    We had to failover a client today from there ASA on there main line onto a backup Cisco 877 for a branch site due to a circuit outage.

    I have configured it remotely and the VPN tunnel back to our main site has come up and they can ping external addresses e.g. 8.8.8.8 or 4.2.2.2.

    However we are unable to get any DNS resolution even if this is manually configured on a PC to use OpenDNS (208.67.222.222) rather than going across the VPN tunnel to our main site for DNS (10.29.0.3).

    When I run show ip nat translations I can see traffic being nat'd any ideas?

    Running config shown below


    Current configuration : 6225 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname xxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    no logging on
    enable password narlicweso
    !
    aaa new-model
    !
    !
    aaa authentication login userlogin local
    aaa authorization network groupauthor local
    !
    !
    aaa session-id common
    !
    crypto pki trustpoint TP-self-signed-3450236095
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3450236095
    revocation-check none
    rsakeypair TP-self-signed-3450236095
    !
    !
    crypto pki certificate chain TP-self-signed-3450236095
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33343530 32333630 3935301E 170D3032 30333031 30303037
    31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353032
    33363039 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A034 04896B06 F492D5AC 3CECEDD6 CEAF464C FAE9746B 968B4892 501D8D14
    D169B77B 033FD3EA 74606F5D FA9BA40C 5F59865A 6B5096A7 445F54EE F4AE190F
    EE36769B 7351C194 6AA6B620 A5740EC9 D60836FF 2639B8A7 C790D45B 17451377
    CA767147 596D8EC9 EA36614D E1B71251 39798302 4FB116EA DB751CC7 DB70B509
    54230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
    301F0603 551D2304 18301680 149FB676 B8EDABAF 4AB6E7AB E8D27E8B 5EE7C4DA
    83301D06 03551D0E 04160414 9FB676B8 EDABAF4A B6E7ABE8 D27E8B5E E7C4DA83
    300D0609 2A864886 F70D0101 04050003 8181009F A6F27F93 4F5E75F6 8898A1EB
    F84B7087 382A92E9 7D2CBF6E D858C60C EAA8E0A0 E5EBA4E9 B16FE931 FD3DC2C9
    6A999C9F D2217A07 9C2E98E3 B7F3EC56 DE6CD98A 6B17DFFF 5C093273 295DBE91
    605BFD06 100992C1 2CDC4CC7 E2DC57C5 C49C2B31 AEF245A8 A31C7390 5DA5C495
    18FACD03 93FC7D73 91171B6C 0941C22C 2EA12B
    quit
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.29.12.1 10.29.12.230
    !
    ip dhcp pool 0
    network 10.29.12.0 255.255.255.0
    default-router 10.29.12.10
    dns-server 10.29.0.3 10.29.0.201
    !
    !
    ip inspect tcp idle-time 86400
    ip inspect name IOSFW ftp
    ip inspect name IOSFW tcp
    ip inspect name IOSFW udp
    no ip domain lookup
    ip domain name bemco.co.uk
    ip name-server 10.29.0.3
    ip name-server 10.29.0.201
    !
    !
    !
    username xxxxxx password xxxxxx
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key xxxxxx address 87.82.229.98 no-xauth
    crypto isakmp keepalive 60
    !
    crypto isakmp client configuration group BEMUSERS
    key oy51orgr964oeh
    pool vpnpool
    !
    !
    crypto ipsec transform-set Myset esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynamicvpn 1000
    set security-association lifetime kilobytes 536870912
    set security-association lifetime seconds 86400
    set security-association idle-time 86400
    set transform-set Myset
    !
    !
    crypto map newcastle 10 ipsec-isakmp
    set peer 87.82.229.98
    set security-association lifetime kilobytes 536870912
    set security-association lifetime seconds 86400
    set security-association idle-time 86400
    set transform-set Myset
    match address 100
    crypto map newcastle 1000 ipsec-isakmp dynamic dynamicvpn
    !
    archive
    log config
    hidekeys
    !
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    interface ATM0
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    no ip address
    timeout absolute 500 0
    atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.29.12.10 255.255.255.0
    ip access-group lantraffic in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    ip address 84.21.128.89 255.255.255.254
    ip access-group outside-in in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer idle-timeout 0
    dialer persistent
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxx
    ppp chap password xxxxxx
    crypto map newcastle
    !
    ip local pool vpnpool 172.31.254.1 172.31.254.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list nat interface Dialer0 overload
    !
    ip access-list extended idletime
    ip access-list extended lantraffic
    permit ip 10.29.12.0 0.0.0.255 any
    permit udp host 0.0.0.0 host 255.255.255.255
    permit ip 10.29.12.0 0.0.0.255 host 10.29.12.10
    ip access-list extended nat
    deny ip 10.29.12.0 0.0.0.255 10.29.0.0 0.0.0.255
    deny ip 10.29.12.0 0.0.0.255 172.31.254.0 0.0.0.255
    permit ip 10.29.12.0 0.0.0.255 any
    ip access-list extended outside-in
    permit icmp any any
    permit ip 10.29.0.0 0.0.0.255 10.29.12.0 0.0.0.255
    permit ip 172.31.254.0 0.0.0.255 10.29.12.0 0.0.0.255
    permit udp any eq isakmp host 84.21.128.89
    permit udp any host 84.21.128.89 eq isakmp
    permit esp any host 84.21.128.89
    permit ip host 87.85.95.131 host 84.21.128.89
    permit ip host 87.82.229.98 host 84.21.128.89
    deny ip any any log
    !
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 23 permit 10.10.10.0 0.0.0.255
    access-list 23 permit 10.29.12.0 0.0.0.255
    access-list 23 permit 87.85.95.0 0.0.0.255
    access-list 100 permit ip 10.29.12.0 0.0.0.255 10.29.0.0 0.0.0.255
    dialer-list 1 protocol ip permit
    snmp-server community bemco RO
    snmp-server enable traps tty
    no cdp run
    !
    !
    !
    control-plane
    !
    banner exec ^C ^C
    banner login ^No Unauthorised Access^C
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    privilege level 15
    password narlicweso
    length 0
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  2. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Think I may have found the answer being ip dns, but can't put this in place as ssh is locked down to our work IP only.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    In your config, as posted above, the internal hosts won't be able to do much at all. On your dialer interface the access-list outside-in blocks almost all return traffic. There is a bit of config for the ios firewall but there is no inspection applieda to the dialer interface. You'll need to open the access-list, or better yet configure the ios firewall to handle the inspection and control of return traffic.

    BTW you should immediately remove and change (on the router) some of the more sensitive bits in the posted config, there is far too much critical info in the clear...

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Cheers mate!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...