1. Home
  2. Cisco Systems
  3. DNS resolution fails on Cisco 2821

DNS resolution fails on Cisco 2821

I have a cisco 2821 Intergrated Router. I have set the DNS address to our typical DNS and when I ssh into the cisco box I get DNS resolution but from any machine or network plugged into the cisco 2821 it fails. Here is my config as it is right now. _________________________________________________________________-

Using 9028 out of 245752 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname fire2 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 $1$jNZm$Ygu0e6q78RqBxDGFIFPEL1 ! aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local ! aaa session-id common ! resource policy ! clock timezone PCTime -8 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 no ip source-route ip tcp synwait-time 10 ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 https ! ! ip ips sdf location flash://128MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule no ip bootp server ip domain name mydomain.com ip name-server 204.244.20.115 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ! crypto pki trustpoint TP-self-signed-3259229249 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3259229249 revocation-check none rsakeypair TP-self-signed-3259229249 ! ! crypto pki certificate chain TP-self-signed-3259229249 certificate self-signed 01 nvram:IOS-Self-Sig#3901.cer username support privilege 15 secret 5

*********************************. ! ! ! ! ! interface Null0 no ip unreachables ! interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$ ip address 192.168.190.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip ips sdm_ips_rule in ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 description $ES_WAN$$FW_OUTSIDE$ ip address 204.244.11.110 255.255.255.240 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip ips sdm_ips_rule out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1/0 shutdown ! interface FastEthernet0/1/1 shutdown ! interface FastEthernet0/1/2 shutdown ! interface FastEthernet0/1/3 shutdown ! interface FastEthernet0/1/4 shutdown ! interface FastEthernet0/1/5 switchport access vlan 2 shutdown ! interface FastEthernet0/1/6 description Office_Trusted switchport access vlan 2 switchport trunk native vlan 98 ! interface FastEthernet0/1/7 description ISL_Trunk switchport mode trunk ! interface FastEthernet0/1/8 shutdown ! interface Vlan1 description ISL_Trunk ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 ip address 192.168.150.1 255.255.255.0 ip access-group 103 in ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source list 1 interface GigabitEthernet0/1 overload ! logging trap debugging access-list 1 remark INSIDE_IF=GigabitEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.190.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.150.100 access-list 2 permit 192.168.190.2 access-list 2 permit 192.168.150.6 access-list 2 permit 192.168.190.0 0.0.0.255 access-list 2 permit 192.168.150.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto-generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp host 192.168.150.100 host 192.168.190.1 eq telnet access-list 100 permit tcp host 192.168.150.6 host 192.168.190.1 eq telnet access-list 100 permit tcp host 192.168.150.100 host 192.168.190.1 eq 22 access-list 100 permit tcp host 192.168.150.6 host 192.168.190.1 eq 22 access-list 100 permit tcp host 192.168.190.2 host 192.168.190.1 eq 22 access-list 100 permit tcp host 192.168.150.100 host 192.168.190.1 eq www access-list 100 permit tcp host 192.168.150.6 host 192.168.190.1 eq www access-list 100 permit tcp host 192.168.150.100 host 192.168.190.1 eq 443 access-list 100 permit tcp host 192.168.150.6 host 192.168.190.1 eq 443 access-list 100 permit tcp host 192.168.190.2 host 192.168.190.1 eq 443 access-list 100 permit tcp host 192.168.150.100 host 192.168.190.1 eq cmd access-list 100 permit tcp host 192.168.150.6 host 192.168.190.1 eq cmd access-list 100 permit tcp host 192.168.190.2 host 192.168.190.1 eq cmd access-list 100 deny tcp any host 192.168.190.1 eq telnet access-list 100 deny tcp any host 192.168.190.1 eq 22 access-list 100 deny tcp any host 192.168.190.1 eq www access-list 100 deny tcp any host 192.168.190.1 eq 443 access-list 100 deny tcp any host 192.168.190.1 eq cmd access-list 100 deny udp any host 192.168.190.1 eq snmp access-list 100 deny ip 204.244.11.208 0.0.0.15 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto-generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp host 204.244.20.115 eq domain host 204.244.11.210 access-list 101 deny ip 192.168.190.0 0.0.0.255 any access-list 101 permit icmp any host 204.244.11.210 echo-reply access-list 101 permit icmp any host 204.244.11.210 time-exceeded access-list 101 permit icmp any host 204.244.11.210 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip host 192.168.150.100 any access-list 102 permit ip host 192.168.150.6 any access-list 102 permit ip host 192.168.190.2 any access-list 102 permit ip 192.168.190.0 0.0.0.255 any access-list 102 permit ip 192.168.150.0 0.0.0.255 any access-list 102 deny ip any any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark SDM_ACL Category=1 access-list 103 permit tcp host 192.168.150.100 host 192.168.150.1 eq telnet access-list 103 permit tcp host 192.168.150.6 host 192.168.150.1 eq telnet access-list 103 permit tcp host 192.168.150.100 host 192.168.150.1 eq 22 access-list 103 permit tcp host 192.168.150.6 host 192.168.150.1 eq 22 access-list 103 permit tcp host 192.168.150.100 host 192.168.150.1 eq www access-list 103 permit tcp host 192.168.150.6 host 192.168.150.1 eq www access-list 103 permit tcp host 192.168.150.100 host 192.168.150.1 eq 443 access-list 103 permit tcp host 192.168.150.6 host 192.168.150.1 eq 443 access-list 103 permit tcp host 192.168.150.100 host 192.168.150.1 eq cmd access-list 103 permit tcp host 192.168.150.6 host 192.168.150.1 eq cmd access-list 103 deny tcp any host 192.168.150.1 eq telnet access-list 103 deny tcp any host 192.168.150.1 eq 22 access-list 103 deny tcp any host 192.168.150.1 eq www access-list 103 deny tcp any host 192.168.150.1 eq 443 access-list 103 deny tcp any host 192.168.150.1 eq cmd access-list 103 deny udp any host 192.168.150.1 eq snmp access-list 103 permit ip any any access-list 110 remark SDM_ACL Category=1 access-list 110 permit tcp 192.0.0.0 0.255.255.255 204.0.0.0 0.255.255.255 access-list 113 remark SDM_ACL Category=1 access-list 113 permit tcp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 access-list 113 permit tcp host 192.168.150.1 host 192.168.190.1 access-list 113 deny tcp 204.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 no cdp run ! ! control-plane ! ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login authentication local_authen transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 102 in authorization exec local_author login authentication local_authen transport input telnet ssh line vty 5 15 access-class 102 in authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler allocate 20000 1000 ! end
Reply to
2821 Intergrated mess
Loading thread data ...

two avenues to explore:

  1. are the DNS queries from "any machine or network plugged into the cisco 2821", *or* the DNS replies to such hosts, being caught in one of your ACLs? This is, if you issue a bunch of DNS queries, do you see any unexpected ratcheting up of ACL counters?

  1. can you ping/traceroute to the DNS server, from one of "any machine or network plugged into the cisco 2821" hosts. And, do so with name resolution suppressed--as in: traceroute -n 204.244.20.115

regards, Bruce Lueckenhoff

--

formatting link

Reply to
Bruce.Lueckenhoff

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.