Cisco 1812 - DNS Problem

Dieses Thema im Forum "Cisco" wurde erstellt von Beowulf, 24. August 2010.

  1. Beowulf

    Beowulf Gelegenheits-User

    Registriert seit:
    19. August 2010
    Beiträge:
    10
    Punkte für Erfolge:
    1
    Nabend,

    ich habe einen Cisco 1812 an einem aDSL Anschluss laufen.
    Es kommt regelmäßig vor, dass DNS Anfragen beim ersten Mal nicht beantwortet werden.
    Sobald ich es dann ein zweites Mal versuche, wird die Seite aufgebaut.
    Habe den Router fast komplett übers SDM konfiguriert.
    Sachen wie ip dns server sind allerdings über's cli aktiviert wurden.

    Zur Konfig:
    aDSL: Ethernet0, Dialer0
    VLAN1: Ethernet 2 (192.168.99.2)
    VLAN2: Ethernet 3 (192.168.98.1)
    VPN: 192.168.100.0
    VPN: 192.168.199.0
    Und einige Portweiterleitungen.

    Wird wohl ein Fehler in der config sein?
    Oder vll. ein generelles Problem in den Firewall settings?
    Teil 1
    Code:
    !This is the running config of the router: 192.168.99.2
    !----------------------------------------------------------------------------
    !version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    no aaa new-model
    clock timezone PCTime 1
    clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
    !
    crypto pki trustpoint TP-self-signed-407389489
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-407389489
     revocation-check none
     rsakeypair TP-self-signed-407389489
    !
    !
    crypto pki certificate chain TP-self-signed-407389489
     certificate self-signed 01
      3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
    xxxxxxxxxxxxx
      	quit
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    ip cef
    ip domain name domain.local
    ip port-map user-FTP-DATA-TCP port tcp 20 description FTP_DATA_TCP
    ip port-map user-FTP-DATA-UDP port udp 20 description FTP_DATA_UDP
    ip port-map user-cluster port tcp 8080 description cluster-8080
    ip port-map user-cluster port tcp 27 description cluster_27
    ip port-map user-cluster port tcp 10000 description cluster_10000
    ip port-map user-cluster port tcp 3611 description cluster_3611
    ip port-map user-cluster port tcp 5600 description cluster_5600
    ip port-map user-cluster port udp 93 description cluster_93_udp
    ip port-map user-cluster port tcp 93 description cluster_93_tcp
    ip port-map user-cluster port tcp 7300 description cluster_7300
    ip port-map user-torrent port tcp 33063 description torrent
    ip port-map user-eme-kran port tcp 55738 description eme-kran
    ip port-map user-eme_ipsound port udp 4444 description eme_ipsound
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username admin privilege 15 secret 5 $1$Jxxxxxxxxxx
    ! 
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key phrase address vpnziel
    crypto isakmp key phrase address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-AES256-MD5 esp-aes 256 esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
    !
    crypto dynamic-map SDM_DYNMAP_1 1
     set transform-set ESP-3DES-SHA2 
     match address 116
    !
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Tunnel to vpnziel
     set peer vpnziel
     set transform-set ESP-3DES-SHA 
     match address 102
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
    !
    archive
     log config
      hidekeys
    !
    !
    !
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
     match access-group 104
    class-map type inspect match-any SDM_HTTPS
     match access-group name SDM_HTTPS
    class-map type inspect match-any SDM_SSH
     match access-group name SDM_SSH
    class-map type inspect match-any SDM_SHELL
     match access-group name SDM_SHELL
    class-map type inspect match-any sdm-cls-access
     match class-map SDM_HTTPS
     match class-map SDM_SSH
     match class-map SDM_SHELL
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
     match access-group 107
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
     match access-group 106
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
     match access-group 109
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
     match access-group 108
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
     match access-group 111
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
     match access-group 110
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
     match access-group 113
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
     match access-group 112
    class-map type inspect match-any SDM_AH
     match access-group name SDM_AH
    class-map type inspect match-any ping
     match protocol icmp
    class-map type inspect match-any sdm-cls-insp-traffic
     match protocol cuseeme
     match protocol dns
     match protocol ftp
     match protocol h323
     match protocol https
     match protocol icmp
     match protocol imap
     match protocol pop3
     match protocol netshow
     match protocol shell
     match protocol realmedia
     match protocol rtsp
     match protocol smtp extended
     match protocol sql-net
     match protocol streamworks
     match protocol tftp
     match protocol vdolive
     match protocol tcp
     match protocol udp
    class-map type inspect match-all sdm-insp-traffic
     match class-map sdm-cls-insp-traffic
    class-map type inspect match-any SDM_ESP
     match access-group name SDM_ESP
    class-map type inspect match-any SDM_VPN_TRAFFIC
     match protocol isakmp
     match protocol ipsec-msft
     match class-map SDM_AH
     match class-map SDM_ESP
    class-map type inspect match-all SDM_VPN_PT
     match class-map SDM_VPN_TRAFFIC
    class-map type inspect match-any SDM-Voice-permit
     match protocol h323
     match protocol skinny
     match protocol sip
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
     match access-group 114
    class-map type inspect match-any sdm-cls-icmp-access
     match protocol icmp
     match protocol tcp
     match protocol udp
    class-map type inspect match-any sdm-service-sdm-inspect-1
     match protocol http
    class-map type inspect match-any FTP
     match protocol ftp
     match protocol ftps
     match protocol user-FTP-DATA-TCP
     match protocol user-FTP-DATA-UDP
    class-map type inspect match-all sdm-access
     match class-map sdm-cls-access
     match access-group 101
    class-map type inspect match-all sdm-cls-sdm-permit-1
     match class-map ping
     match access-group name ping
    class-map type inspect match-any torrent
     match protocol user-torrent
    class-map type inspect match-all sdm-icmp-access
     match class-map sdm-cls-icmp-access
    class-map type inspect match-all sdm-invalid-src
     match access-group 100
    class-map type inspect match-any cluster
     match protocol user-cluster
    class-map type inspect match-any eme
     match protocol user-eme-kran
     match protocol user-eme_ipsound
    class-map type inspect match-all sdm-protocol-http
     match class-map sdm-service-sdm-inspect-1
    !
    !
    policy-map type inspect sdm-permit-icmpreply
     class type inspect sdm-icmp-access
     class class-default
      pass
    policy-map type inspect sdm-pol-VPNOutsideToInside-1
     class type inspect ping
      inspect 
     class type inspect sdm-service-sdm-inspect-1
      inspect 
     class type inspect FTP
      inspect 
     class type inspect torrent
      inspect 
     class type inspect eme
      inspect 
     class type inspect cluster
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-1
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-2
      pass
     class type inspect sdm-cls-VPNOutsideToInside-3
      pass
     class type inspect sdm-cls-VPNOutsideToInside-4
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-5
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-6
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-7
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-8
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-9
      inspect 
     class type inspect sdm-cls-VPNOutsideToInside-10
      pass
     class class-default
      drop
    policy-map type inspect sdm-inspect
     class type inspect sdm-invalid-src
      drop log
     class type inspect sdm-insp-traffic
      inspect 
     class type inspect sdm-protocol-http
      inspect 
     class type inspect FTP
      inspect 
     class type inspect torrent
      inspect 
     class type inspect eme
      inspect 
     class type inspect cluster
      inspect 
     class type inspect SDM-Voice-permit
      inspect 
     class class-default
      pass
    policy-map type inspect sdm-permit
     class type inspect SDM_VPN_PT
      pass
     class type inspect sdm-cls-sdm-permit-1
     class type inspect sdm-access
     class class-default
      drop log
    !
    zone security out-zone
    zone security in-zone
    zone-pair security sdm-zp-self-out source self destination out-zone
     service-policy type inspect sdm-permit-icmpreply
    zone-pair security sdm-zp-out-self source out-zone destination self
     service-policy type inspect sdm-permit
    zone-pair security sdm-zp-in-out source in-zone destination out-zone
     service-policy type inspect sdm-inspect
    zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
     service-policy type inspect sdm-pol-VPNOutsideToInside-1
    !
    !
    !
    
     
  2. Beowulf

    Beowulf Gelegenheits-User

    Registriert seit:
    19. August 2010
    Beiträge:
    10
    Punkte für Erfolge:
    1
    Teil 2:
    Code:
    interface FastEthernet0
     description aDSL Business$ETH-WAN$
     no ip address
     duplex auto
     speed auto
     pppoe enable group global
     pppoe-client dial-pool-number 1
    !
    interface FastEthernet1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface BRI0
     no ip address
     encapsulation hdlc
     shutdown
    !
    interface FastEthernet2
    !
    interface FastEthernet3
     switchport access vlan 2
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
     description $FW_INSIDE$
     ip address 192.168.99.2 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     zone-member security in-zone
     ip tcp adjust-mss 1412
    !
    interface Vlan2
     ip address 192.168.98.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     zone-member security in-zone
    !
    interface Dialer0
     description $FW_OUTSIDE$
     ip address negotiated
     ip mtu 1452
     ip nat outside
     ip virtual-reassembly
     zone-member security out-zone
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication chap pap callin
     ppp chap hostname user
     ppp chap password 0 pwd
     ppp pap sent-username user password 0 pwd
     crypto map SDM_CMAP_1
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    !
    !
    ip dns server
    ip nat inside source static tcp 192.168.99.237 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.99.237 20 interface Dialer0 20
    ip nat inside source static udp 192.168.99.237 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.99.237 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.99.214 33063 interface Dialer0 33063
    ip nat inside source static tcp 192.168.99.245 8080 interface Dialer0 8080
    ip nat inside source static tcp 192.168.99.245 27 interface Dialer0 27
    ip nat inside source static tcp 192.168.99.245 10000 interface Dialer0 10000
    ip nat inside source static tcp 192.168.99.245 3611 interface Dialer0 3611
    ip nat inside source static tcp 192.168.99.245 5600 interface Dialer0 5600
    ip nat inside source static tcp 192.168.99.245 93 interface Dialer0 93
    ip nat inside source static udp 192.168.99.245 93 interface Dialer0 93
    ip nat inside source static tcp 192.168.99.245 7300 interface Dialer0 7300
    ip nat inside source static tcp 192.168.99.240 55738 interface Dialer0 55738
    ip nat inside source static udp 192.168.99.142 4444 interface Dialer0 4444
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    ip access-list extended SDM_AH
     remark SDM_ACL Category=1
     permit ahp any any
    ip access-list extended SDM_ESP
     remark SDM_ACL Category=1
     permit esp any any
    ip access-list extended SDM_HTTPS
     remark SDM_ACL Category=1
     permit tcp any any eq 443
    ip access-list extended SDM_SHELL
     remark SDM_ACL Category=1
     permit tcp any any eq cmd
    ip access-list extended SDM_SSH
     remark SDM_ACL Category=1
     permit tcp any any eq 22
    ip access-list extended ping
     remark SDM_ACL Category=128
     permit ip any any
    !
    no logging trap
    logging 192.168.99.4
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.99.0 0.0.0.255
    access-list 1 permit 192.168.98.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 101 remark SDM_ACL Category=128
    access-list 101 permit ip any any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 192.168.98.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 103 remark SDM_ACL Category=128
    access-list 103 permit ip host vpnziel any
    access-list 104 remark SDM_ACL Category=0
    access-list 104 remark IPSec Rule
    access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 105 remark SDM_ACL Category=2
    access-list 105 remark IPSec Rule
    access-list 105 deny   ip 192.168.98.0 0.0.0.255 192.168.199.0 0.0.0.255
    access-list 105 remark IPSec Rule
    access-list 105 deny   ip 192.168.99.0 0.0.0.255 192.168.199.0 0.0.0.255
    access-list 105 remark IPSec Rule
    access-list 105 deny   ip 192.168.99.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 105 permit ip 192.168.99.0 0.0.0.255 any
    access-list 105 remark IPSec Rule
    access-list 105 deny   ip 192.168.98.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 105 permit ip 192.168.98.0 0.0.0.255 any
    access-list 106 remark SDM_ACL Category=0
    access-list 106 remark IPSec Rule
    access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 107 remark SDM_ACL Category=0
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 108 remark SDM_ACL Category=0
    access-list 108 remark IPSec Rule
    access-list 108 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 109 remark SDM_ACL Category=0
    access-list 109 remark IPSec Rule
    access-list 109 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 110 remark SDM_ACL Category=0
    access-list 110 remark IPSec Rule
    access-list 110 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 111 remark SDM_ACL Category=0
    access-list 111 remark IPSec Rule
    access-list 111 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 112 remark SDM_ACL Category=0
    access-list 112 remark IPSec Rule
    access-list 112 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 113 remark SDM_ACL Category=0
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 114 remark SDM_ACL Category=0
    access-list 114 remark IPSec Rule
    access-list 114 permit ip 192.168.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    access-list 114 remark IPSec Rule
    access-list 114 permit ip 192.168.100.0 0.0.0.255 192.168.98.0 0.0.0.255
    access-list 116 remark SDM_ACL Category=4
    access-list 116 remark IPSec Rule
    access-list 116 permit ip 192.168.99.0 0.0.0.255 192.168.199.0 0.0.0.255
    access-list 116 remark IPSec Rule
    access-list 116 permit ip 192.168.98.0 0.0.0.255 192.168.199.0 0.0.0.255
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    route-map SDM_RMAP_1 permit 1
     match ip address 105
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     privilege level 15
     login local
     transport input telnet ssh
    !
    end
    
    Ich bin um jeden Verbesserungsvorschlag und Tip dankbar!
    Gruß
     
  3. Beowulf

    Beowulf Gelegenheits-User

    Registriert seit:
    19. August 2010
    Beiträge:
    10
    Punkte für Erfolge:
    1
    Nachdem ich ICMP in der Firewall für out-zone to self freigeschaltet habe, funktioniert es nun auch beim ersten Versuch.