Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS configuration 1

Status
Not open for further replies.
tofurkey

tofurkey

Technical User
Mar 16, 2009
3
US
Hi All,

I need some guidance on how to properly configure DNS on a Cisco 851w ISR. I am unable to ping a website by its name and I get the following error message: "% Unrecognized host or address, or protocol not running.". When executing a traceroute I get this error message: "% Unrecognized host or address."

I have typed in: ip name-server for both my dns servers provided by the ISP and in addition the 4.2.2.2. I have enabled ip domain-lookup and named my domain. What else do I need to get this working? Any suggestions are greatly appreciated.

Thanks,

tofurkey

Here is a readout from the command "sh ip dns view":
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is enabled
Default domain name: wing.com
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
4.2.2.2
68.94.156.1
68.94.157.1
192.168.0.1
DNS Server settings:
Forwarding of queries is enabled
Forwarder addresses:
=====================================
My router's running config:
Building configuration...

Current configuration : 5573 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LANSAP
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret 5
!
no aaa new-model
clock timezone PST -8
clock summer-time PST recurring
!
crypto pki trustpoint TP-self-signed-2247397566
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2247397566
revocation-check none
rsakeypair TP-self-signed-2247397566
!
!
crypto pki certificate chain TP-self-signed-2247397566
certificate self-signed 01
30820247 308201B0 A0030201 02020101....
AA11E4C7 539793B5 EA7E97
quit
dot11 syslog
!
dot11 ssid GuestWLAN
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp ping packets 4
!
ip dhcp pool INTERNAL-NET
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 2
!
!
ip cef
ip inspect max-incomplete low 210
ip inspect max-incomplete high 270
ip inspect one-minute high 1875
ip inspect one-minute low 1500
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 450 block-time 0
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name wing.com
ip name-server 4.2.2.2
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
!
!
username blabla privilege 15 secret 5
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description INTERNET_WAN_PORT
ip address dhcp
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid GuestWLAN
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description GUEST WIRELESS LAN - ROUTED WLAN
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description INTERNAL NETWORK
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description BRIDGE TO INTERNAL NETWORK
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http authentication local
ip http secure-server
ip dns view default
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.21 60532 interface FastEthernet4 60532
ip nat inside source static tcp 192.168.1.21 3724 interface FastEthernet4 3724
!
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any range 6881 6999
permit tcp any any eq 60532
permit udp any any eq 60532
permit tcp any any eq 3724
permit tcp any any range 6112 6119
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
banner motd ^C
***************************
DO NOT LOGON. SHOO!
***************************
^C
alias exec s sh ip int bri
alias exec dhcp sh ip dhcp binding
!
line con 0
exec-timeout 0 0
password 7
logging synchronous
login local
no modem enable
line aux 0
line vty 0 3
exec-timeout 0 0
password 7
logging synchronous
login local
line vty 4
exec-timeout 0 0
password 7
logging synchronous
login local
!
scheduler max-task-time 5000
end

 
Sort by date Sort by votes
First, how are you entering the ip name-server command? Like this?

router(config)#ip name-server 4.2.2.2 68.94.156.1 68.94.157.1

This is the correct way. Try just the AT&T servers, and get rid of the other two. Also, you don't have the keyword "established" at the end of the acl statements, so what you have there is all it is letting back into the router. I would NIX tha ACL altogether and build a better one. Your router supports CBAC---why not do that?

Since the WAN is getting a dhcp address, I would add the dns-server command to the dhcp pool, and also import all. That has nothing to do with your current problem. Try taking the acl off the interface and then trying it.

One more thing---you may want to adjust the mss to 1452 rather than 1460---it already is set at 1460 (default of IP MTU is 1500, so default MSS is 1460).

Burt
 
Upvote 0 Downvote
Burtsbees,

Thanks for your input. I did what you suggested and updated the flaws you pointed out.

I deleted the existing ACL and inserted line by line the new one + I got the chance to read up on some basic ACL. It's working finally. Boy, I can't wait till this Friday so I can get some pinging and tracerouting done!!

Attaching my updated running config. Please feel free to suggest more improvements or best practices. I will be eternally grateful:

Building configuration...

Current configuration : 5599 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LANSAP
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret
!
no aaa new-model
clock timezone PST -8
clock summer-time PST recurring
!
crypto pki trustpoint TP-self-signed-2247397566
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2247397566
revocation-check none
rsakeypair TP-self-signed-2247397566
!
!
crypto pki certificate chain TP-self-signed-2247397566
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030.......
quit
dot11 syslog
!
dot11 ssid GuestWLAN
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp ping packets 4
!
ip dhcp pool INTERNAL-NET
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.94.157.1
lease 2
!
!
ip cef
ip inspect max-incomplete low 210
ip inspect max-incomplete high 270
ip inspect one-minute high 1875
ip inspect one-minute low 1500
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 450 block-time 0
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name wing.com
!
!
!
username blabla privilege 15 secret
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description INTERNET_WAN_PORT
ip address dhcp
ip access-group INBOUND in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid GuestWLAN
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description GUEST WIRELESS LAN - ROUTED WLAN
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description INTERNAL NETWORK
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description BRIDGE TO INTERNAL NETWORK
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http authentication local
ip http secure-server
ip dns view default
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.21 60532 interface FastEthernet4 60532
ip nat inside source static tcp 192.168.1.21 3724 interface FastEthernet4 3724
!
ip access-list extended INBOUND
remark ALLOW BASIC STUFF - ISP DHCP, PING AND TRACEROUTE
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
remark ALLOW BLIZZARD PORTS
permit tcp any any eq 3724
permit tcp any any range 6112 6119
permit tcp any any range 6881 6999
permit tcp any any eq 60532
permit tcp any any established
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
banner motd ^C
***************************
DO NOT LOGON. SHOO!
***************************
^C
alias exec s sh ip int bri
alias exec dhcp sh ip dhcp binding
!
line con 0
exec-timeout 0 0
password 7
logging synchronous
login local
no modem enable
line aux 0
line vty 0 3
exec-timeout 0 0
password 7
logging synchronous
login local
line vty 4
exec-timeout 0 0
password 7
logging synchronous
login local
!
scheduler max-task-time 5000
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
187
burtsbees
burtsbees
DarioMartin
  • Locked
  • Question
Possible DNS problem using Cisco 877
Replies
1
Views
143
DarioMartin
DarioMartin
chazzmanbm
  • Locked
  • Question
Cisco ASA 9.2 SSH Configuration
Replies
1
Views
173
iggsterman
iggsterman
clark72
  • Locked
  • Question
VRF Lite Configuration
Replies
0
Views
126
clark72
clark72
Sycho123321
  • Locked
  • Question
T1 wic configuration
Replies
0
Views
115
Sycho123321
Sycho123321

Part and Inventory Search

Sponsor

Back
Top