Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS Not fowarding?

Status
Not open for further replies.
baldhead

baldhead

Technical User
Apr 27, 2004
111
US
I am in the process of setting up a NAT on a 2620 and I can ping from the 2620 to google.com just fine, I can ping from my internal machine to google's IP just fine. But I can't ping from an internal machine to google.com. Somehow DNS isn't working. I can ping the external DNS server from the internal machine. What could be the issue here?

My Config file:

Code: 
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
!
!
!
!
memory-size iomem 10
no ip subnet-zero
ip name-server 67.88.97.11
ip name-server 67.88.97.10
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
interface Ethernet0/1
 ip address 67.88.97.1 255.255.255.0
 ip nat outside
!
ip nat pool fourmbnat 67.88.97.1 67.88.97.1 prefix-length 24
ip nat inside source list 1 pool fourmbnat overload
ip nat inside source static tcp 192.168.0.2 3389 67.88.97.1 3389 extendable
ip nat inside source static tcp 192.168.0.10 21 67.88.97.1 21 extendable
ip nat inside source static tcp 192.168.0.10 1610 67.88.97.1 1610 extendable
ip nat inside source static tcp 192.168.0.41 4001 67.88.97.1 4001 extendable
ip nat inside source static tcp 192.168.0.40 4000 67.88.97.1 4000 extendable
ip nat inside source static tcp 192.168.0.9 80 67.88.97.1 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 67.88.97.2
ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run
!
!
line con 0
 exec-timeout 5 0

thanks
baldhead
 
Sort by date Sort by votes
I can't see any probloem with your conf... Can you nslookup from the PC? The "show ip nat translation" command swhows the translation?
 
Upvote 0 Downvote
yeah I did an "debug ip nat detailed" command and I don't see any errors. I'm not sure what the errors will look like, but I don't see any. I'll work on it tomorrow when I'm in the office.

thanks
baldhead
 
Upvote 0 Downvote
do the workstations get the correct dns servers? ipconfig /all
Also i think your ip route is wrong:
ip route 0.0.0.0 0.0.0.0 67.88.97.2

your ip address on E0/1 is ending with .1, so you might want to change that and see if it works

CCNA, CCNP..partly ;)
 
Upvote 0 Downvote
Yeah they can ping the external DNS servers. I put in fake IP's for the route, port forwarding, and ethernet 0/1 interface.
 
Upvote 0 Downvote
Do you have a firewall between you and the DNS servers that could be mucking this up? Is that the whole config? No ACL on the port makes me think that there must be a firewall sitting between this router and your network.
 
Upvote 0 Downvote
It looks like this:

PC----Cisco 2620----DSL Modem----Internet

I'm wondering if I need to setup an ACL to allow port 53 traffic inside. It's strange, because I can ping externally with the PC but not using the DNS name. I'm using the Cisco 2620 as the firewall.
 
Upvote 0 Downvote
That's just it, you don't have an ACL applied to any of the interfaces. The only control I see here is the ACL 1 which is making sure that only IP's in the 192.168.0.0 subnet are aloud out on NAT, but other than that you're wide open. Anything at all can pass through there, and of course some of it is getting port forwarded to machines with varied services, etc.

Have you tried any other client machines? Do you have any weird MTU settings on that machine? I know there are other computers on the inside of nat, and they are experiencing the same problem?
 
Upvote 0 Downvote
I have only tried one laptop. It's running windows 2000 and I haven't touched any of the network card settings. It's using a PCMCIA Netgear NIC. I could try another machine. Not a bad idea.

Doesn't ACL 1 automatically apply to the ethernet 0/0 interface? Should I make an ACL group and apply that to the interface? How would that look?

thanks
baldhead
 
Upvote 0 Downvote
Nope, the ACL won't auto-apply as far as anything I know. IF you wanted to put an ACL on an interface it would look like ip access-group 1 in or ip access-group 1 out depending on how you wanted it to function, and you don't have anything like that. It's remotely possible that it's some wonky setting on the desk side. Give it a shot with another network PC just for grins because the config seems to look a-okay to everyone.

You could set up an ACL on the interface but given the config I don't think there's oging to be a need in my eyes since you're really only redirecting ports. If the DNS thing can get fixed though issue can always get tackled later, at this point it may muddy the waters further.
 
Upvote 0 Downvote
yeah, I found that it was laptop related. It worked right away when I tried on another laptop.

thanks for all the help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

telemarksman
  • Locked
  • Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
86
telemarksman
telemarksman
DarioMartin
  • Locked
  • Question
Possible DNS problem using Cisco 877
Replies
1
Views
71
DarioMartin
DarioMartin
rmartinezv82
  • Locked
  • Question
Issue with port not have comunication Switch 3750X
Replies
1
Views
72
burtsbees
burtsbees
adelainey
  • Locked
  • Question
Voice port notification
Replies
0
Views
60
adelainey
adelainey
dmourghen
  • Locked
  • Question
DNS queries with PBR
Replies
0
Views
62
dmourghen
dmourghen

Part and Inventory Search

Sponsor

Back
Top