DNS behind Firewall with Static NAT

[xevious2k]

Hi Again All,

Can someone tell me what's wrong with the configuration below? I have a primary and a secondary DNS server that I am trying to put behind the firewall and when I have it with the configuration below, users can only sometimes get to their sites. I can't seem to figure out what I'm doing wrong, but then again, I'm new to this.

! Access Control List 101
!
no access-list 101
access-list 101 deny udp host 205.xxx.xxx.3 eq domain any
access-list 101 deny udp host 205.xxx.xxx.2 eq domain any
access-list 101 permit udp any host 205.xxx.xxx.2 eq domain
access-list 101 deny ip any host 205.xxx.xxx.2
access-list 101 permit udp any host 205.xxx.xxx.3 eq domain
access-list 101 deny ip any host 205.xxx.xxx.3
!
! Static NAT
!
ip nat inside source static udp 200.200.200.3 53 205.xxx.xxx.3 53 extendable
ip nat inside source static udp 200.200.200.2 53 205.xxx.xxx.2 53 extendable


Thanks for your help,
x2k

 

[dredoggg]

Im just guessing, but shouldnt DNS be TCP... not UDP?

ip nat inside source static tcp 200.200.200.3 53 205.xxx.xxx.3 53 extendable
ip nat inside source static tcp 200.200.200.2 53 205.xxx.xxx.2 53 extendable

 

[FishinSGT]

Maybe the first two lines of ACL 101 needs to be relooked at?
access-list 101 deny udp host 205.xxx.xxx.3 eq domain any
access-list 101 deny udp host 205.xxx.xxx.2 eq domain any

What the CCO Says about extended ACL's:
Access-list extended number deny | permit protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [established] [log]
[time-range time-range-name]

I am relooking Access-list myself as I am trying to update mine, and I have noticed that the destination and wildcard on yours (any) is after the type of service (domain) that you wish to deny.



I hope this works for you,
Duane