A little background:
I have a server on my LAN that is statically NAT'd to its public IP in my Cisco 871. The rest of the same local subnet is statically NAT'd to a different Public IP, in order to separate traffic. The authoritative public nameserver for my domain has all relevant and correct records for the server. Also, the information fully propagated to the rest of the world weeks ago.
The issue:
When performing nslookup of my domain from any machine on the same physical LAN as the server, regardless of subnet (I have two subnets), I get back the local IP of the server instead of its public IP. nslookup returns correct (public) IP when performed from outside of this network.
What I know so far:
I know the problem instamagically goes away once I remove the static NAT for the server (see bold line in config below). I am not using CBAC for DNS traffic or anything of that nature. My colleagues and I are seriously baffled.
Here are the relevant snippets (addresses deliberately altered) from my config:
- ip nat pool office 65.x.x.162 65.x.x.162 netmask 255.255.255.240
- ip nat pool guests 65.x.x.164 65.x.x.164 netmask 255.255.255.240
- ip nat inside source list 1 pool office overload
- ip nat inside source list 2 pool guests overload
- ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 41234
- ip nat inside source static tcp 192.168.1.69 22 interface FastEthernet4 44321
- ip nat inside source static tcp 192.168.1.12 3389 interface FastEthernet4 51234
- ip nat inside source static 192.168.1.9 65.x.x.163
- !
- access-list 1 permit 192.168.1.0 0.0.0.255
- access-list 1 deny any
- access-list 2 permit 192.168.100.0 0.0.0.255
- access-list 2 deny any
Can someone please help me understand why this is occurring?
-
You may want to post a bit of info on your DNS resolution structure. For example clients -> Server A -> ISP A. It sounds like you are creating a 'loop' when the NAT for the server is in place where the last internal DNS system that goes for resolution to an outside server is looking to your server's public IP instead of your ISP??
To clarify just a bit. When the NAT is not in place your router is providing resolution or forwarding it out to the ISP. But with the NAT, the traffic is sent back to the server itself.
BM : Does the DNS resolution structure even come into play if I am using nslookup to directly query the authoritative nameserver? I have also tried querying 4.2.2.2 and 4.2.2.3 directly as well, and get the same result.BM : In case it is relevant, we are using opendns.org's servers for DNS resolution on all clients. The server uses my ISP's provided name servers. I have tried using different nameservers. Also, I have no local nameservers running.From Jeff Hengesbach -
It's called "DNS Doctoring" - it's trying to help you out by giving the local client the local address instead of the NAT address:
It's doing that because the IOS firewall code (much like PIX or ASA) inspects DNS by default, so to disable it issue a "no inspect dns". Presumably the IOS Firewall behavior kicks in when you start using the static NATs.
Link with PIX/ASA details on DNS Doctoring
BM : Okay, this makes a lot of sense and seems to be the cause of what I am experiencing here. But I do not see any way to disable this in my Cisco 871.Zypher : Cisco also calls it DNS ReWriting ... In PIX/ASA it is done by adding the 'dns' keyword to the end of your static nat command. I have no idea if it is available on your 871, but i'd give it a shot.From Geoff
0 comments:
Post a Comment