3620 Routing works, DNS doesn't

[CyberJMC66]

I have a Cisco 3620 connected to an ISP connection via Ethernet so the 3620 has two Ethernet interfaces. Interface e0/0 is connected to the ISP. The 3620 is also configured as a DHCP server for the hubs/switches that are connected to e0/1.

If I connect PC directly to the ISP Ethernet connection, configure w/IP information including DNS servers, everything works fine. If I connect the 3620 to the ISP connection, configured w/IP information and DNS servers, it routes IP fine and can ping addresses on the Internet. However, using the same DNS servers as the PC, it does not resolve names properly. I used the following commands to enable name resolution on the router;

router(config)# ip name-server x.x.x.x
router(config)# ip name-server x.x.x.x
router(config)# ip domain-lookup

(Actual IP addresses have been omitted to protect the innocent)...

Any ideas? Any troubleshooting suggestions?

Thanks!

 

[andrewalx]

Hi.
Do you have ACL applied to e0/0 ?

 

[CyberJMC66]

Here is interface fonfiguration and ACLs (public Internet addresses have been changed to x.x.x.x);
========================
interface Ethernet0/0
ip address x.x.x.x 255.255.255.240
ip nat outside
half-duplex
no cdp enable
!
interface Ethernet0/1
ip address 10.13.0.1 255.255.0.0
no cdp enable
!
interface Ethernet0/1.10
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.0.0
ip nat inside
no cdp enable
!
interface Ethernet0/1.11
encapsulation dot1Q 11
ip address 10.11.0.1 255.255.0.0
ip nat inside
no cdp enable
!
ip nat pool cvg-hpc-lab x.x.x.x x.x.x.x prefix-length 28
ip nat inside source list 7 pool cvg-hpc-lab
no ip classless
ip route 0.0.0.0 0.0.0.0 64.138.80.129
ip route 64.0.0.0 255.0.0.0 64.138.80.128
ip http server
!
access-list 7 permit 10.11.0.0 0.0.255.255
access-list 7 permit 10.10.0.0 0.0.255.255
no cdp run
========================

Cisco TAC is stumped also and I think a problem exists in ISP network. But any feedback is appreciated...

Thanks

 

[andrewalx]

Hi.
You haven't put
ip name-server x.x.x.x
ip name-server x.x.x.x
ip domain-lookup
into dump, I hope there it is. Try the following.
conf t
ip classless ! forwards packets that has no network default route to the best supernet route
ip route 0.0.0.0 0.0.0.0 e0/0 ! default route

By the way what's address is 64.138.80.129 ? Is it interface address of your ISP ?

 

[CyberJMC66]

Yes. The name-server, domain-lookup and classless are in the configuration as well. I only included interface configuration. The router does something else pretty peculiar.. If I type in pp and hit enter, it reloads...???

 

[CyberJMC66]

Will change the ip classless and try. I have tried it and it didn't help... But your point is well taken.

 

[andrewalx]

Hi.
As far as I know
ip name-server x.x.x.x
ip domain-lookup
ip 0.0.0.0 0.0.0.0 e0/0
is sufficient for correct DNS resolution. Next idea is : I guess 64.138.80.129 is interface address of your ISP on the same subnet with e0/0. e0/0 metmask is 255.255.255.240, so 64.138.80.128 coincide with subnet address and might be broadcast and because of this you should not be able to ping all 64.0.0.0-64.255.255.255 address area and so on. In this case try to remove or amend
ip route 64.0.0.0 255.0.0.0 64.138.80.128
line. Excuse me for verbosity, It because I don't know all the situation.

 

[CyberJMC66]

Problem has advanced - although not resolved - yet...

If I turn routing off (no ip routing), and set a default-gateway to the ISP router, everything works. So how would I route between VLANs on other interfaces...

Your assumptions about the network/subnet information is correct.

64.0.0.0 255.0.0.0 64.138.80.128 was added automatically.

 

[wybnormal]

This makes perfect sense.. when you turn off routing, you make the router a bridge and now you are bridging port 53 which is DNS. This port in the router world is considered to be a broadcast and therefore it's blocked by the very nature of what a router does.. makes separate broadcast domains. Turn your routing back on and use either IP-HELPER or UDP forwarding to move port 53 around on the different VLANS and ports.

NOTE!!!! The new default for the IOS is to turn OFF directed broadcasts.. this breaks a few things.. DHCP is one along with a few more.


See below for a clip from Cisco::::::

If a helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default:


Trivial File Transfer Protocol (TFTP) (port 69)


Domain Naming System (port 53)


Time service (port 37)


NetBIOS Name Server (port 137)


NetBIOS Datagram Server (port 138)


Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)


TACACS service (port 49)


IEN-116 Name Service (port 42)


--------------------------------------------------------------------------------
Note Using the ip directed-broadcast interface configuration command with the optional access-list-number argument overrides the behavior of the ip forward-protocol command.

http://www.cisco.com/univercd/cc/td.../ios120/12cgcr/np1_r/1rprt2/1ripadr.htm#22943

Hope this helps

Mike S

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin