1. Home
  2. Cisco Systems
  3. Cisco CSS1151: DNS Resolving Issue

Cisco CSS1151: DNS Resolving Issue

Hi All,

I have a problem resolving DNS when my LAN is connected through a CSS

1151.

Here the Layout Firewall -> CSS (for Load Balancing between Web Servers) -> Cisco 2950 LAN Switch -> Servers

Firewall -> CSS is connected through VLAN 2

CSS -> LAN Switch is connected through VLAN 1

LAN Switch -> Servers are connected through VLAN 1

Here the CSS ACL

Quote

!**************************** ACL **************************** acl 1 clause 10 permit any any destination any apply circuit-(VLAN1)

acl 2 clause 10 permit tcp any destination 10.0.2.80 eq 80 clause 20 permit tcp any destination 10.0.2.83 eq 80 clause 30 permit any any destination 224.0.0.18 clause 40 permit tcp any destination 10.0.0.0 255.255.255.0 eq 1433 clause 50 permit tcp any destination 10.0.0.0 255.255.255.0 eq 1414 clause 60 permit tcp any eq 389 destination 10.0.0.0 255.255.255.0 clause 70 permit tcp any eq 709 destination 10.0.0.0 255.255.255.0 clause 80 permit icmp any destination any clause 90 permit tcp any destination 10.0.0.0 255.255.255.0 eq 1415 clause 100 permit tcp any destination 10.0.0.0 255.255.255.0 eq 25 clause 110 permit tcp any destination 10.0.0.0 255.255.255.0 eq 110 clause 120 permit tcp any destination 10.0.0.0 255.255.255.0 eq 53 clause 130 permit tcp any destination 10.0.2.85 eq 80 clause 140 permit udp 132.246.168.148 255.255.255.255 eq 123 destination 10.0.0.0 255.255.255.0 clause 150 permit udp 10.0.0.9 255.255.255.255 destination

132.246.168.148 255.255.255.255 eq 123 clause 160 permit udp 132.132.132.132 255.255.255.255 eq 123 destination 10.0.0.0 255.255.255.0 apply circuit-(VLAN2)

So when I try to go to google.com from a server I get the following from the CSS

Quote CSS2# sh log sys.log JUL 6 10:39:23 5/1 632 ACL-7: NO ACL rule match! Discarding packet JUL 6 10:39:23 5/1 633 ACL-7: UDP SrcPort: 53 DestPort: 3273 JUL 6 10:39:23 5/1 634 ACL-7: Source: 10.0.2.1 JUL 6 10:39:23 5/1 635 ACL-7: Dest: 10.0.0.9

My Internal DNS is set to forward to 10.0.2.1 witch is the Internal Firewall. Then the Firewall is set to forward to the ISP DNS. From the Firewall I can resolve DNS. All other network connections are fine... I can browse the web with IP no problems.

I hadded the following clause in acl 2 for vlan 2

Quote clause 15 permit any any destination any

Opening everything but still no DNS resolving....

If I remove the CSS I can resolve DNS...

Anyone has any idea?

Cheers

Hannibal

Reply to
Hannibal
Loading thread data ...

It tells you right there what the problem is ..

CSS2# sh log sys.log JUL 6 10:39:23 5/1 632 ACL-7: NO ACL rule match! Discarding packet JUL 6 10:39:23 5/1 633 ACL-7: UDP SrcPort: 53 DestPort: 3273 JUL 6 10:39:23 5/1 634 ACL-7: Source: 10.0.2.1 JUL 6 10:39:23 5/1 635 ACL-7: Dest: 10.0.0.9

The ACL isn't allowing the reply from the firewall to the client. 'UDP SrcPort: 53 DestPort: 3273' tells you that it's a reply to a DNS query.

Chris.

Reply to
chris

Thanks Chris for your reply, but I know it's a ACL issue, but after creating the following

acl 2 clause 10 permit any any destination any apply circuit-(VLAN2)

I'm still getting the same error

any idea?

Cheers

Hannibal

Reply to
Hannibal

Whereabouts in your ACL do you think that this traffic should be permitted? From what I can tell this is DNS replies from your firewall to this host. Looking at your ACL this isn't allowed. You need to add a rule to permit this.

Chris.

Reply to
chris

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.