Wireless Access

 View Only
  • 1.  Role to redirect DNS to a different server?

    Posted 22 days ago

    Hi there,

    I'm trying to get a role to redirect all queries to 10.0.0.1 port 53 to 1.1.1.1 port 53.

    I was able to get the traffic to go to the 1.1.1.1 server by using dst-nat,and can see at the edge firewall the responses going back to the client.

    But then the answers are not being received by the client and DNS queries are failing.

    The config I used:

    ip access-list session redirect-dns

      user host 10.0.0.1 udp 53 53 dst-nat ip 1.1.1.1 53

    !

    Any idea why it does not work, and how to make it work?

    Thanks



  • 2.  RE: Role to redirect DNS to a different server?

    Posted 21 days ago

    I used AOS10 for the gateways and my DNs-redirection worked fine with this rule. The device (10.10.31.31) is put into this IoT-Lab user-role. 

    note that I am using "svc-dns"

    =============================

    ip access-list session dns-redirect
        user host 192.168.1.131 svc-dns dst-nat ip 1.1.1.1
    !
    user-role IoT-Lab
        vlan 31
        access-list session global-sacl
        access-list session apprf-iot-lab-sacl
        access-list session dns-redirect
        access-list session allowall

    ============================Note flag "n" is for dest nat==============

    (AOS10_gwy1) #show datapath session table | include 10.10.31.31
    10.10.31.31       192.168.1.131   17   53852 53    0/0      6    48  1   tunnel 9    e    2          112        FNCI            6        673 /0   /0    80001
    1.1.1.1           10.10.31.31     17   53    52137 0/0      0    0   2   tunnel 9    14   2          318        FSI             6        0   /0   /0    0



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Role to redirect DNS to a different server?

    Posted 20 days ago
    Edited by ricardoduarte 20 days ago

    Unfortunately that doesn't work.

    This is what I have:

    • Management VLAN is 18, and IP network is 192.168.1.1/24
    • Client VLAN is 100 and IP network for clients is 192.168.2.0/24; there is no controller IP in this VLAN
    • Gateway for clients is an external device

    When I do dst-nat what I see is:

    • Destination address from packets from clients do get translated to the translated IP
    • BUT, the traffic then leaves the controller in VLAN 18 with the original client IP

    As an example:

    • Client is 192.168.2.1; dst-nat is done from 10.0.0.1 to 1.1.1.3; client enters the controller in VLAN 100
    • Capturing VLAN 18 I can see the translated packet; but the address is the original one and will not match the 192.168.1.0/24 network of VLAN 18
    • External firewall will block the packet because it is receiving traffic from 192.168.2.0/24 from VLAN 18; but VLAN 18 is 192.168.1.0/24

    I was hopping that, like IAP, the translated packets would leave to the client VLAN and not the management VLAN. OR, if still leaving the management VLAN, use the management vlan address (I do have outside NAT enabled in the management VLAN).

    Also, if I disable "inter vlan routing" all "dst-nat" traffic stops being forwarded.