Showing results for 
Search instead for 
Did you mean: 


IPSec Site-to-Site

I have configured IPSec site-to-site tunnel btw. cisco router and Cisco VPN Concentrator and everythink OK. I have a question, now if the clients behind Cisco router wants to access private site behind VPN Concentrator, they will use its name, but they can't because they need first to establish a tunnel, but this tunnel will not be established cause no public DNS server will resolve this private web server. How can we solve this issue?

Thanks in advance



Just want to clarity with you that if there is a need still for this, as the user behind the router can use the lan-lan vpn between the router and the cvpn.



Yes, i read many documents but still did not find a good solution.

Rising star

maybe installing a dns server on the remote end is an answer


No, I'm asking how the client gets the remote site ip address before establishing the IPSec site-to-site tunnel to let the ios check if this ip address is permitted to establish a tunnel or not.


dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

when a lan1 user clicks off an application that has a lan2 hostname as a destination, it sends a dns request to the local dns server. the server then responses with the a lan2 ip, which the router will be able to determine whether the tunnel should be initiated or not. making sense?


No dns server at lan1, lan1 user type a hostname and the IOS must determine first (before establishing a tunnel) if this hostname ip address is permitted to establish a tunnel or not.

Do you have an idea who the IOS do this?


Is there a DNS Server at the remote end atleast ? I have also heard you can do a local mapping but iam aint sure how




dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

on the router, configure

ip name-server

ip forward-protocol udp 53

ip forward-protocol

To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command.

then include the router wan ip as part of the lan-lan vpn.

in theory,

1. lan1 user kicks off the app by hostname

2. router tries to resolve the name by contacting the dns

3. since router wan ip is part of the lan-lan vpn, the vpn should be initiated

4. bingo lan1 user gets in

let me know if this works as i've never try this before


Yeah i think that will work. Include the DNS server in your IPSec traffic, DNS request will get forwarded to the remote end DNS server. So your DNS query will trigger the tunnel. But for this , a DNS server is needed at the other end atleast


Hi jackko,

Thank you. Let us say the following:

DNS public -->

DNS LAN2 ip address -->

LAN1 users configured for DNS at this time, they must be configured for But this will make the session active all the time since all the dns requests will be checked through this private DNS at LAN2.

I need from the IOS to check the ip address for any hostname if it is from the LAN2 ip addresses then this will trigger the site-to-site IPSec session, otherwise keep this session inactive and forward it to the internet. Is this possible?


not sure if it's possible. however there are cisco experts reading this forum every seconds around the world and no one seems suggesting the ios code. so maybe it's not very straight forward.

wondering how many user are we talking about. if only a few, maybe edit the local host file on the pc is an option.


just wondering how you go. figured out a workaround?


Hi Jackko,

The best solution till now is to let LAN1 clients get LAN2 DNS (i configured DHCP at LAN1 router). This make the IPSec session to be active all the time.

Content for Community-Ad