8

We have a Cisco 1900 ISR and have recently setup a web-server at ourdomain.com. The site works perfectly, however from the LAN we cannot use ourdomain.com to access the site, instead everyone has to use the local IP address 10.1.1.xxx.

I've come to understand that its a limitation with Cisco routers. My extensive googling has turned up DNS doctoring (or DNS reply modification)

I've attempted many time to setup DNS doctoring but I just cant get it work, I believe because our ISR doesnt have the capability to peform the commands I'm trying:

object network our_server
host 10.1.1.xx
nat (inside,outside) static 50.100.100.10 dns

Is there another way to achieve DNS doctoring or otherwise access our local server using the external address?

Our network config is as follows: Modem > ISR > Switch > End Users

Our ISR is running: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

OrangeBox
  • 183
  • 1
  • 5
  • What are you using for a DNS server inside the 10.1.1.X network? – Brett Lykins Sep 24 '13 at 01:11
  • All the machines are either manually pointing to Google DNS or pointing to the ISR which is pointing to Google :) – OrangeBox Sep 24 '13 at 01:38
  • Is this ISR providing internet access for you now? If so, please show us the interface and NAT configuration. If not, what are you using for an internet router / firewall? – Mike Pennington Sep 24 '13 at 03:17

1 Answers1

7

I've attempted many time to setup DNS doctoring but I just cant get it work, I believe because our ISR doesnt have the capability to peform the commands I'm trying

Your first problem is that you're using Cisco ASA commands on a Cisco router; you're also assuming this is a problem with your Cisco router.

In reality, this is a DNS issue that can be solved with your Cisco router; however, it's normally solved with a split-DNS

Is there another way to achieve DNS doctoring or otherwise access our local server using the external address?

Yes... Cisco calls it Network address translation (or nat)... Let's assume you have this topology...

                               +------------+
                        Fa0/0  | Cisco ISR  | Fa0/1
LAN w/ Webhost-----------------|            |-------------------
                        inside |            | outside (To ISP)
                   10.1.1.0/24 +------------+ 192.0.2.1
                                              192.0.2.2 (static translation for the webhost)

interface Fa0/0
 ip address 10.1.1.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
interface Fa0/1
 ip address 192.0.2.1 255.255.255.0
 no ip proxy-arp
 ip nat outside
!
ip nat inside source list INSIDE_ADDRS interface FastEthernet0/1 overload
ip nat inside source static 10.1.1.50 192.0.2.2
!
ip access-list extended INSIDE_ADDRS
 permit ip 10.1.1.0 0.0.0.255 any
 deny   ip any any
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254

Assume your internal Webhost address is 10.1.1.50 and you're using 192.0.2.2 (a second address given by your ISP) for your public A-record.. Thus, when you resolve "ourdomain.com" from google's resolver, you get...

[mpenning@Bucksnort ~]$ dig +short @8.8.8.8 ourdomain.com
10.1.1.50
[mpenning@Bucksnort ~]$

Assuming Bucksnort is 10.1.1.12, if you perform debug ip nat on your router during a DNS query, you see...

Sep 23 23:12:29.132 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.132 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.136 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [628]
Sep 23 23:12:29.140 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.140 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.140 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [629]
Sep 23 23:12:29.144 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.148 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.148 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [630]
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
  • Hi Mike, thank-you very much for your help. I was able to achieve the desired result using your answer. Much appreciated :) – OrangeBox Oct 15 '13 at 00:56
  • @OrangeBox, you're most welcome... good luck with your endeavors. – Mike Pennington Oct 15 '13 at 01:22
  • Hi Mike, What if that public server uses the interface public IP as the only one company has available. How can you solve this request now? – laf Oct 17 '13 at 09:43
  • @laf, you're asking about something I lab-tested while I was writing the answer. It's been almost a month, so my memory is hazy but I don't think I found a good NAT answer in that scenario... Perhaps the best you can do is a split-DNS either on a linux server or on the router itself. – Mike Pennington Oct 17 '13 at 09:51
  • Ok, I was asking you because I hit this scenario many times with no NAT_solving_success. Here was the configuration to make myself clear: ip nat inside source list INSIDE_ADDRS interface FastEthernet0/1 overload ip nat inside source static tcp 10.1.1.50 80 interface 80 – laf Oct 17 '13 at 10:01
  • @laf, I thought I tried exactly that, but I will have to test again... thanks for the suggestion! – Mike Pennington Oct 17 '13 at 12:31