09-12-2005 11:03 PM - edited 02-21-2020 12:23 AM
I have configured IPSec site-to-site tunnel btw. cisco router and Cisco VPN Concentrator and everythink OK. I have a question, now if the clients behind Cisco router wants to access private site behind VPN Concentrator, they will use its name, but they can't because they need first to establish a tunnel, but this tunnel will not be established cause no public DNS server will resolve this private web server. How can we solve this issue?
Thanks in advance
09-14-2005 04:51 PM
Hi,
Just want to clarity with you that if there is a need still for this, as the user behind the router can use the lan-lan vpn between the router and the cvpn.
09-15-2005 03:26 AM
Hi,
Yes, i read many documents but still did not find a good solution.
09-15-2005 05:46 PM
maybe installing a dns server on the remote end is an answer
09-16-2005 06:32 AM
No, I'm asking how the client gets the remote site ip address before establishing the IPSec site-to-site tunnel to let the ios check if this ip address is permitted to establish a tunnel or not.
09-16-2005 08:12 AM
dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2
when a lan1 user clicks off an application that has a lan2 hostname as a destination, it sends a dns request to the local dns server. the server then responses with the a lan2 ip, which the router will be able to determine whether the tunnel should be initiated or not. making sense?
09-16-2005 11:20 AM
No dns server at lan1, lan1 user type a hostname and the IOS must determine first (before establishing a tunnel) if this hostname ip address is permitted to establish a tunnel or not.
Do you have an idea who the IOS do this?
09-17-2005 04:12 AM
Is there a DNS Server at the remote end atleast ? I have also heard you can do a local mapping but iam aint sure how
09-17-2005 06:44 AM
sure.
09-18-2005 07:53 PM
dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2
on the router, configure
ip name-server 
ip forward-protocol udp 53
ip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command.
then include the router wan ip as part of the lan-lan vpn.
in theory,
1. lan1 user kicks off the app by hostname
2. router tries to resolve the name by contacting the dns
3. since router wan ip is part of the lan-lan vpn, the vpn should be initiated
4. bingo lan1 user gets in
let me know if this works as i've never try this before
09-19-2005 03:49 AM
Yeah i think that will work. Include the DNS server in your IPSec traffic, DNS request will get forwarded to the remote end DNS server. So your DNS query will trigger the tunnel. But for this , a DNS server is needed at the other end atleast
09-19-2005 11:02 AM
Hi jackko,
Thank you. Let us say the following:
DNS public --> 1.1.1.1
DNS LAN2 ip address --> 10.5.5.5
LAN1 users configured for 1.1.1.1 DNS at this time, they must be configured for 10.5.5.5? But this will make the session active all the time since all the dns requests will be checked through this private DNS at LAN2.
I need from the IOS to check the ip address for any hostname if it is from the LAN2 ip addresses then this will trigger the site-to-site IPSec session, otherwise keep this session inactive and forward it to the internet. Is this possible?
09-19-2005 04:11 PM
not sure if it's possible. however there are cisco experts reading this forum every seconds around the world and no one seems suggesting the ios code. so maybe it's not very straight forward.
wondering how many user are we talking about. if only a few, maybe edit the local host file on the pc is an option.
09-22-2005 06:24 PM
just wondering how you go. figured out a workaround?
09-22-2005 11:13 PM
Hi Jackko,
The best solution till now is to let LAN1 clients get LAN2 DNS (i configured DHCP at LAN1 router). This make the IPSec session to be active all the time.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide