Hi Richard,
Thk you and apologies for late delay. After adding the accesslist with tcp 53 i am able to resolve domains. However my router also has a site to site vpn connection. After adding this accesslist the site to site vpn traffic do not seem to work. Name resolution is fine but site to site vpn traffic fail. Below is my config in addition to the accesslist we discuss abt. Pls advise thks in advance.
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key test address 21.x.x.x
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
set peer 21.x.x.x
set transform-set myset
match address 150(belong to the accesslist that were defined)
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.10.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
ip access-group 101 in
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password x yyyyyyyy
ppp pap sent-username testing password 7 3535353535353
crypto map test
ip nat inside source route-map nonat interface Dialer1 overload
access-list 101 permit tcp host 2.x.x.x host 6.x.x.x eq 1433
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any ack
access-list 101 permit tcp any any psh
access-list 101 permit tcp any eq 53 any
access-list 110 deny ip 172.16.9.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 110 permit ip 172.16.9.0 0.0.0.255 any
access-list 120 permit ip 172.16.9.0 0.0.0.255 172.16.5.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 110
