DNS errors with NAT Client (Full Version)

All Forums >> [ISA Server 2000 General] >> General



Message


x97steslicki -> DNS errors with NAT Client (7.Nov.2001 7:10:00 PM)

I have a DSL Line from ameritech as my external DCHP assigned IP address. I am using RAS PPPoE and it works great. On the internal network I am using the private address range 192.168.0-255. All clients are SecureNAT clients.

Here is my problem: My internal network has a windows 2000 DNS server configured with it's own authoritative internal only zone, and for all external queries it is configured to use forwarders.

I configured ISA with Tom's reccomended "all open" config. When I use nslookup to ask my internal DNS server to resolve an external name I get a timeout error, and I see dropped dns packets in the packet filter log file. I thought the "all open" packet filter allowed everything, what is going on here?

Next I tried to configure outbound DNS query filters and protocol rules without the "all open" policy. I set up my filters and rules correctly because there were no dropped packets in the packet filter logs. Just to make sure I put a packet sniffer on the internal network and sure enough I see DNS queries headed out to the configured forwarder.

Next I put a sniffer on the external network, I can see DNS packets from my internal DNS server (Private source address) going to my forwarder, but no replies ever come back. I checked the logs and there are no dropped packets. What could be going on? Perhaps my ISP's DNS server is dropping my packets due to the source ip being private? I thought ISA NAT was supposed to overwrite the IP and maintain a state table? I would see the external IP of my ISA server in the packet traces as the source address of the outbound packet to the ISP DNS server if NAT was working right, or am I wrong?

Also when I make requests from my ISA server via nslookup with my ISP's DNS server as the default server I get responces back, I also see inbound and out bound queries and replies in my packet sniffer network traces.

So the ISP's DNS Server likes my ISA servers external public IP, but when I make a query from my intenal (private IP) DNS server the ISP server does not reply, and ISA NAT does not mask the private IP with my external public IP. Man I cannot figure out what I am doing wrong here, pls help.

I know others have gotten this config to work, there simply must be a way...

Thanks

-Adam

------------------





tshinder -> RE: DNS errors with NAT Client (8.Nov.2001 5:20:00 AM)

Hi Adam,

It should work, but all bets are off when it comes to DSL

If you have an all open Protocol Rule, then DNS packets are allowed outbound and the responses are allowed inbound. In your packet traces on the external interface of the ISA Server, do you see the responses to the DNS queries?

Could also be an MTU problem that Win2k has with DSL lines.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!





x97steslicki -> RE: DNS errors with NAT Client (8.Nov.2001 5:41:00 AM)

Hi Tom,

The Max Trans Unit is not the problem, I am am! I made the problem worse by overlooking the easy explanations, I needed to check the "use dial up entry for primary route" in the properties page of my default routing rule, box not just under the "network configurations" properties. As a matter of fact do I even need the network configuration use dial up entry box? Hmmm let's go see...

Well my problem is solved, I still wonder why I saw the outbound DNS packets on the external interface if the routing was not enabled. Although now I see that my ISA server is making the request on behalf of the client in the traces...

Man I love this stuff!

Have a good one and thnkx for the reply.

-Adam





Page: [1]