[c-nsp] IOS DNS Question

Paul Stewart pauls at nexicom.net
Tue Jul 12 16:41:20 EDT 2005


Thanks... Yeah, got customer to update their own internal DNS (which they
weren't willing to do originally and complicated matters)... They run Active
Directory (crap) and Windows DNS etc... Works fine now....:)

Paul


-----Original Message-----
From: Bruce Pinsky [mailto:bep at whack.org] 
Sent: Tuesday, July 12, 2005 4:38 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS DNS Question


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Stewart wrote:
| Hi everyone...
|
| I have a client that we manage a router for... here's what they need 
| (trying to find best solution)...
|
| They have a single static IP address from us that has:
|
| ip nat inside source list 102 interface Dialer0 overload
| ip nat inside source static tcp 192.168.2.4 389 interface Dialer0 389 
| ip nat inside source static tcp 192.168.2.4 709 interface Dialer0 709 
| ip nat inside source static tcp 192.168.2.4 829 interface Dialer0 829 
| ip nat inside source static tcp 192.168.2.6 1723 interface Dialer0 
| 1723 ip nat inside source static tcp 192.168.2.4 3389 interface 
| Dialer0 3389 ip nat inside source static tcp 192.168.2.4 80 interface 
| Dialer0 80 ip nat inside source static tcp 192.168.2.4 21 interface 
| Dialer0 21
|
| for NAT translations.  The outside world knows their site by a domain 
| name http://www.123.com for example and this works fine from outside 
| world.  From internally, they can't surf this site by domain name 
| because it resolves to their public IP and NAT won't send them "back 
| in" to their network... is there a way around this?
|
| One suggestion I had from a person at Networkers was to turn up DNS on 
| the router.  I'm told that the DNS server on the router is smart 
| enough to provide the internal IP to users who are on the NAT'ed side 
| of the network??
|
| Any ideas would be great.. this customer is bugging me for answers.... 
| our last resort is to setup a DNS server on a linux box on our side 
| and have their internal network use it.... the customer refuses to 
| make changes to their already existing internal active directory DNS 
| server which could easily solve this problem...
|

What is their DNS server?  You could run a split view BIND server where
inside source addresses are provided one answer and outside source addresses
are provided a different answer.

See section 4.3 Split DNS at
http://www.nominum.com/content/documents/bind9arm.pdf

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC1CoKE1XcgMgrtyYRAgiEAJ4y5WcDE6+jlE2Cowv6SCqqMyML5wCff4Dd
jSiODwK5zdKRVqy4jj7Mnxw=
=sP6z
-----END PGP SIGNATURE-----




More information about the cisco-nsp mailing list