Cisco – DNS Doctoring / Reply Modification on Cisco 1900 series ISR

ciscocisco-ios-15dns

We have a Cisco 1900 ISR and have recently setup a web-server at ourdomain.com.
The site works perfectly, however from the LAN we cannot use ourdomain.com to access the site, instead everyone has to use the local IP address 10.1.1.xxx.

I've come to understand that its a limitation with Cisco routers. My extensive googling has turned up DNS doctoring (or DNS reply modification)

I've attempted many time to setup DNS doctoring but I just cant get it work, I believe because our ISR doesnt have the capability to peform the commands I'm trying:

object network our_server
host 10.1.1.xx
nat (inside,outside) static 50.100.100.10 dns

Is there another way to achieve DNS doctoring or otherwise access our local server using the external address?

Our network config is as follows: Modem > ISR > Switch > End Users

Our ISR is running: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Best Answer

I've attempted many time to setup DNS doctoring but I just cant get it work, I believe because our ISR doesnt have the capability to peform the commands I'm trying

Your first problem is that you're using Cisco ASA commands on a Cisco router; you're also assuming this is a problem with your Cisco router.

In reality, this is a DNS issue that can be solved with your Cisco router; however, it's normally solved with a split-DNS

Is there another way to achieve DNS doctoring or otherwise access our local server using the external address?

Yes... Cisco calls it Network address translation (or nat)... Let's assume you have this topology...

                               +------------+
                        Fa0/0  | Cisco ISR  | Fa0/1
LAN w/ Webhost-----------------|            |-------------------
                        inside |            | outside (To ISP)
                   10.1.1.0/24 +------------+ 192.0.2.1
                                              192.0.2.2 (static translation for the webhost)

interface Fa0/0
 ip address 10.1.1.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
interface Fa0/1
 ip address 192.0.2.1 255.255.255.0
 no ip proxy-arp
 ip nat outside
!
ip nat inside source list INSIDE_ADDRS interface FastEthernet0/1 overload
ip nat inside source static 10.1.1.50 192.0.2.2
!
ip access-list extended INSIDE_ADDRS
 permit ip 10.1.1.0 0.0.0.255 any
 deny   ip any any
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254

Assume your internal Webhost address is 10.1.1.50 and you're using 192.0.2.2 (a second address given by your ISP) for your public A-record.. Thus, when you resolve "ourdomain.com" from google's resolver, you get...

[mpenning@Bucksnort ~]$ dig +short @8.8.8.8 ourdomain.com
10.1.1.50
[mpenning@Bucksnort ~]$

Assuming Bucksnort is 10.1.1.12, if you perform debug ip nat on your router during a DNS query, you see...

Sep 23 23:12:29.132 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.132 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.136 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [628]
Sep 23 23:12:29.140 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.140 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.140 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [629]
Sep 23 23:12:29.144 CDT: NAT: s=10.1.1.12->192.0.2.1, d=8.8.8.8 [0]
Sep 23 23:12:29.148 CDT: NAT: DNS resource record 192.0.2.2 -> 10.1.1.50
Sep 23 23:12:29.148 CDT: NAT: s=8.8.8.8, d=192.0.2.1->10.1.1.12 [630]

Related Solutions

Cisco ISR G2 encrypted bandwidth restriction

You are running into one of the fun, new, restrictions of the ISR Generation 2.

I assume you have the basic "security" licensing package installed as noted by this part of the message:

securityk9 technology package license

However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:

The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.

With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.

A quick way to check which license you have, is to issue the following command on your router:

show license feature

This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.

Another handy command for troubleshooting this is:

show platform cerm-information

This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:

router-1#show platform cerm-information 
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: DISABLED

More information on this command here.

Cisco – HSRP + OSPF over tunnel interface

I would HIGHLY recommend getting rid of HSRP and using routing over the tunnels (both up all the time), whether OSPF or EIGRP. Set an inferior metric on one of the tunnels at both ends. Problem solved.

HSRP is BAD NEWS over WAN. I am struggling to see what use the HSRP is. As you're now seeing it also causes a lot of issues when overlaid on top of routing.

There is a reason they're called First Hop Redundancy Protocols in the textbook, their place is to provide redundancy for LAN client's default gateways i.e. the first hop.

Best Answer

Related Solutions

Cisco ISR G2 encrypted bandwidth restriction

Cisco – HSRP + OSPF over tunnel interface

Related Topic