cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

409
Views
0
Helpful
21
Replies
Highlighted
Beginner

IPSec Site-to-Site

I have configured IPSec site-to-site tunnel btw. cisco router and Cisco VPN Concentrator and everythink OK. I have a question, now if the clients behind Cisco router wants to access private site behind VPN Concentrator, they will use its name, but they can't because they need first to establish a tunnel, but this tunnel will not be established cause no public DNS server will resolve this private web server. How can we solve this issue?

Thanks in advance

21 REPLIES 21
Highlighted

Hi,

Just want to clarity with you that if there is a need still for this, as the user behind the router can use the lan-lan vpn between the router and the cvpn.

Highlighted

Hi,

Yes, i read many documents but still did not find a good solution.

Highlighted
Rising star

maybe installing a dns server on the remote end is an answer

Highlighted

No, I'm asking how the client gets the remote site ip address before establishing the IPSec site-to-site tunnel to let the ios check if this ip address is permitted to establish a tunnel or not.

Highlighted

dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

when a lan1 user clicks off an application that has a lan2 hostname as a destination, it sends a dns request to the local dns server. the server then responses with the a lan2 ip, which the router will be able to determine whether the tunnel should be initiated or not. making sense?

Highlighted

No dns server at lan1, lan1 user type a hostname and the IOS must determine first (before establishing a tunnel) if this hostname ip address is permitted to establish a tunnel or not.

Do you have an idea who the IOS do this?

Highlighted

Is there a DNS Server at the remote end atleast ? I have also heard you can do a local mapping but iam aint sure how

Highlighted

sure.

Highlighted

dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

on the router, configure

ip name-server

ip forward-protocol udp 53

ip forward-protocol

To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command.

then include the router wan ip as part of the lan-lan vpn.

in theory,

1. lan1 user kicks off the app by hostname

2. router tries to resolve the name by contacting the dns

3. since router wan ip is part of the lan-lan vpn, the vpn should be initiated

4. bingo lan1 user gets in

let me know if this works as i've never try this before

Highlighted

Yeah i think that will work. Include the DNS server in your IPSec traffic, DNS request will get forwarded to the remote end DNS server. So your DNS query will trigger the tunnel. But for this , a DNS server is needed at the other end atleast

Highlighted

Hi jackko,

Thank you. Let us say the following:

DNS public --> 1.1.1.1

DNS LAN2 ip address --> 10.5.5.5

LAN1 users configured for 1.1.1.1 DNS at this time, they must be configured for 10.5.5.5? But this will make the session active all the time since all the dns requests will be checked through this private DNS at LAN2.

I need from the IOS to check the ip address for any hostname if it is from the LAN2 ip addresses then this will trigger the site-to-site IPSec session, otherwise keep this session inactive and forward it to the internet. Is this possible?

Highlighted

not sure if it's possible. however there are cisco experts reading this forum every seconds around the world and no one seems suggesting the ios code. so maybe it's not very straight forward.

wondering how many user are we talking about. if only a few, maybe edit the local host file on the pc is an option.

Highlighted

just wondering how you go. figured out a workaround?

Highlighted

Hi Jackko,

The best solution till now is to let LAN1 clients get LAN2 DNS (i configured DHCP at LAN1 router). This make the IPSec session to be active all the time.

Content for Community-Ad