Resolução de nomes com falha no Cisco série 800

1

Nosso ISP está atualmente no meio de uma grande interrupção de DNS e, como resultado, a resolução de nomes por meio dos servidores de nomes que eles fornecem não está funcionando. Estou tentando adicionar servidores DNS do Google ao nosso Cisco 800 Series como uma solução provisória, mas o DNS ainda não parece estar funcionando a partir da própria Cisco ou de máquinas cliente.

O ping de um IP funciona bem:

#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/300/780 ms

Pingar um URL não:

#ping cisco.com
Translating "cisco.com"...domain server (203.0.178.191) (203.215.29.191) (8.8.8.8) (8.8.4.4)
% Unrecognized host or address, or protocol not running.

Configuração de execução (obfuscation mine):

Current configuration : 5060 bytes
!
! Last configuration change at 00:08:00 UTC Fri Apr 4 2014
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ********
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
********
!
!
********
        quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.90.254
ip dhcp excluded-address 192.168.90.1 192.168.90.31
!
ip dhcp pool ********
 import all
 network 192.168.90.0 255.255.255.0
 default-router 192.168.90.254
 dns-server 192.168.90.254
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name CBAC_out tcp
ip inspect name CBAC_out udp
ip inspect name CBAC_out icmp
ip inspect name CBAC_out dns
no ipv6 cef
!
!
license udi pid CISCO887VA-M-K9 sn FGL16052611
!
!
username root privilege 15 password 0 ********
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.90.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 description ********
 ip address negotiated
 ip access-group out_to_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect CBAC_out out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username ********@******** password 0 ********
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
interface Dialer1
 no ip address
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1000
!
ip dns server
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended NAT
 permit ip 192.168.90.0 0.0.0.255 any
ip access-list extended out_to_in
 remark Internet traffic coming in
 permit tcp any any established
 permit icmp any any echo-reply
 permit icmp any any echo
 permit udp any any eq domain
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password ********
 login
 transport input all
!
end
    
por Taz 04.04.2014 / 03:06

1 resposta

1

Você tem uma lista de acesso chamada out_to_in que parece estar aqui para filtrar o tráfego de entrada da Internet.

Você deve tentar adicionar permit ip host 8.8.8.8 any na sua lista de acesso ip access-list extended out_to_in

    
por 04.04.2014 / 09:18