0

We have two Cisco 2811 routers in HSRP configuration protecting a network with several vlans. We have a secondary public DNS for contoso.com zone hidden in there, as well as the mail server mail1.contoso.com NATed outside to its dedicated public IP address. We have encountered that a DNS request launched from any network behind the router for public address of that mail server returns a NATed private IP address. We managed to collect packets from both sides, effectively discovering that 2811 does change IP addresses in packets coming from outside to inside with an inside global IP address for inside local IP address. This might be normal, but this process interferes with DNS zone transfer for the protected secondary DNS server, resulting in it receiving NATed addresses instead of public, and then service private addresses to Internet instead of serving public IP addresses. We have failed to find exact command to disable DNS rewrite, the one listed here Cisco - NAT causes nslookup to return local IP is not accepted. How should we at least avoid Cisco's interference with DNS zone transfer? At best we'd like to disable this DNS rewrite altogether.

NAT is done as follows:

ip nat inside source static tcp 10.x.x.9 53 217.x.x.x 53 route-map RM-NAT-ISP extendable
ip nat inside source static udp 10.x.x.9 53 217.x.x.x 53 route-map RM-NAT-ISP extendable
ip nat inside source static 10.x.x.31 217.x.x.y route-map RM-NAT-VNETWORK01-EXCHANGE

DNS is NATed by a single port, the server that suffers from DNS rewriting is NATed static with route-map, due to VPN present in the configuration. There was a document stating that Cisco router should not do DNS rewrites for a static NAT with route-map, AND should not interfere with DNS zone transfers - but we observe the contrary. IOS version info:

R1#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(25b), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 12-Aug-09 11:53 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

R1 uptime is 33 weeks, 6 days, 9 hours, 55 minutes
System returned to ROM by Reload Command
System restarted at 03:43:40 GMT+3 Tue Jul 19 2016
System image file is "flash:c2800nm-adventerprisek9-mz.124-25b.bin"
<snip>
Cisco 2811 (revision 53.51) with 512000K/12288K bytes of memory.
Processor board ID FGL153312DD
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
126976K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

ip nat service ? output:

R1(config)#ip nat service ?
  H225                      H323-H225  protocol
  allow-h323-keepalive      Allow H323 KeepAlive
  allow-sip-even-rtp-ports  Allow even RTP ports for SIP
  append-ldap-search-res    Append ldap search result
  fullrange                 allocate all available port of 1 to 65535
  list                      Specify access list describing global addresses
  mgcp                      Media Gateway Control Protocol
  nbar                      nbar protocol
  ras                       H323-RAS protocol
  rtsp                      Real Time Streaming Protocol
  sip                       SIP protocol
  skinny                    skinny protocol
Vesper
  • 794
  • 1
  • 9
  • 32

2 Answers2

1

Old thread but I had the same problem and just found the answer, so here I am to share it.

On IOS-XE 16.9 I added the following two setting lines in global exec mode:

Router(config)#no ip nat service dns udp 
Router(config)#no ip nat service dns tcp
ProTofik
  • 111
  • 1
1

You should add no-payload option at the end of your ip nat inside source static mappings for DNS servers.

Peter Zhabin
  • 2,696
  • 9
  • 10
  • Should this be enough? In fact, added this option a day before requesting here, but wanted to learn if it's the proper way to resolve these problems. Also, what about eliminating DNS rewrites altogether? Adding this option to all NATs breaks FTP which is also NATed from one of the affected servers. – Vesper Mar 14 '17 at 13:53
  • This will definitively break all the protocols that need inner-address translation, including FTP. Alternative is to upgrade IOS to a newer version with NAT-PT ALG feature support (that will add those magic `no ip nat service alg` commands), I believe 12.4(24)T is the closest version for yours that has that supported, but you can use a Feature Navigator to research available options for this feature. – Peter Zhabin Mar 14 '17 at 15:04
  • For some reason, 12.4(25b) has NAT-PT ALG feature support listed, but nowhere to be found on actual hardware, I've checked that. "NAT ALG support" is not listed however, I wonder if this is the feature I need, or is it plain obsolete or conflicting. That's why I wonder about this. Maybe 25g will resolve this, I don't want to upgrade to 15.x due to those stupid licensing that can cause too many issues right away. – Vesper Mar 14 '17 at 15:17
  • Don't have a 2811 handy at the moment, so can't confirm or test anything. But it boils down either to NAT ALG support, or no-payload if you keep the current scenario. – Peter Zhabin Mar 14 '17 at 16:17