Can't resolve DNS with my 806

[napatech]

I have X's on my E1 address to not publicize my router. I'm on a static IP and my workstation gets DHCP just fine and NAT works fine too. I checked all of this with DEBUG and it's working.
Here's the issue.. I'm missing something that I can't see because I'm unable to resolve DNS either from my workstation or the router, but, I can ping my default-gateway with both the router and workstation

All help is appreciated....


Current configuration : 1332 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging rate-limit console 10 except errors
enable secret 5 $1$Kly.$X3cOI5Fa04I2Gbewfl75Z/
!
ip subnet-zero
ip name-server 206.13.28.12
ip name-server 206.13.31.12
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool client
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 206.13.31.12 206.13.28.12
domain-name Pacbell.net
lease 45
!
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address XX.XXX.XXX.XXX 255.255.255.0
ip nat outside
ip tcp adjust-mss 1452
no cdp enable
!
ip default-gateway 63.194.XXX.XXX
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 63.0.0.0 255.0.0.0 63.194.XXX.XXX
ip http server
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
line con 0
exec-timeout 120 0
password 7 1044080A151200
login
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 030E5A18160A33
login
!
scheduler max-task-time 5000
end

 

[jeter]

I have to ask! Is your browsers setup for a LAN access? Jeter@LasVegas.com
Fisher CCNA
Sprint-Data

 

[wybnormal]

A few things.. do run DNS on the LAN? if not, then you get the name resolution from the pacbell servers?

Also, having web services enabled on a public router is a bad idea from a security standpoint. You might want to consider disabling that item.

Your routes are bit confusing..


ip default-gateway 63.194.XXX.XXX

ip route 63.0.0.0 255.0.0.0 63.194.XXX.XXX

Why these two lines? why not just

ip route 0.0.0.0 0.0.0.0 63.194.x.x

and then use an access list in the IN side to filter out anything that doesn belong?

Setting default-gateway only comes into play when the router is configed as a bridge.. here is Cisco's blurb on it
"The ip default-gateway command differs from the other two commands in that it should only be used when ip routing is disabled on the Cisco router. For instance, if the router is a host in the IP world, you can use this command to define a default gateway for it. You might also use this command when your low end Cisco router is in boot mode in order to TFTP a Cisco IOS®Software image to the router. In boot mode, the router doesn't have ip routing enabled."

THis same article also gives a nice explantion about the 0.0.0.0 route..

http://www.cisco.com/warp/public/105/default.html

Your DNS is broken because of the access list. At the end of every acces list is a DENY ALL even if it's not specified..

so you allow ONLY IP to your network and deny everything else including UDP 53 which is DNS..

At least this is my guess at this point.. I am assuming that if you PING a site.. it works fine.. if try to ping by NAME.. say.. PING

http://WWW.WEBSITE.COM

it's broken?

What happens if you put a host file together as a test with the proper name to ip mapping? I bet it works?

Change your access list to LOG at the end and then you can read the log file to exactly what is being passed and denied. Very useful technique

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[napatech]

MikeS/whybenormal
I want to Thank You for the time you took to look at my posted configuration and for the lengthy response. A good point made on the "default-gateway" and I have removed it. The issue of the HTTP server was also an oversight too. I don't like the results that the HTTP interface provides (it's additive if you don't clear the configuration first) and it's almost like the CLS setup to me.
I got myself goofed up with the Access List's for sure! Debug did show that UDP was not coming through and I thought IP would allow it!
I did make the changes you suggested and it did fix the issue. Thanks again for your polite reply.