cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

3879
Views
0
Helpful
5
Replies
hsinn3r555
Beginner

DNS problem through VPN on SA520

Dear all,

After setting up the VPN configuration on a Cisco SA520, I connected to it throught Shrew soft VPN client. While I can see the network, the DNS does not work. eg pinging an ip directly responds, pinging a server name does not. It seems that the request never reaches the server.

I'm using firmware v. 2.1.51

Any thoughts? I read that it was a fw problem with older versions, but it should have been fixed?

Kind Regards

Nikos

5 REPLIES 5
Herbert Baerten
Cisco Employee

Hi Nikos,


since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.


best regards,

Herbert
Cisco Moderator

Dear Herbert, thank you for your reply. I also changed the topic title, hopefully it will be easier to get some help now.

Regards,

Nikos

nmanglik
Cisco Employee

Hi Nikos,

We have simulated the setup locally with the topology and configuration steps and are able to ping using DNS name. Please find our observations below:

Topology:

========

Lan host     +--- [L] SA500 [W] ------------- Shrew Soft VPN client

                 |

DNS Server + 

SA520W configuration:

  • Add VPN client configuraton from VPN Wizard (VPN > IPSec > VPN Wizard)
  • On IKE Policies page, select XAUTH Configuration - Edge Device and Authentication Type - User Database.
  • On VPN Policies page, enable Mode Config
  • On Dynamic IP Range page, configure client IP range and DNS Server as LAN side DNS server.
  • Create an IPSec user
  • Disable and Enable VPN Policy.

Shrew Soft VPN Client (v2.1.7):

  • Disable Split tunnel
  • Authentication Method - Mutual PSK + XAuth
  • Policy tab, select 'Maintain Persistent Security Association' and Add to include remote network resource (LAN address of SA500)

Thanks,

Nitin.

Hi Nitin, thanks for your reply.

On the Dynamic IP Range Configuration, should I have Full or Split Tunnel Mode?

Also, I can't quite understand the Start and End Ip address range, when I try to set it to the same subnet as the router's LAN IP I get this message

"The subnet specified is same as LAN/VLAN subnet, Please specify a different subnet."

So I do enter a different, sorta random ip range.

Regards,

Nikos

Nikos,

The above explanation provided was with full tunnel mode.

The Start and End IP address range need to be different than your LAN subnet. It is the range you would like to assign to remote VPN clients (in this case Shrew Soft VPN client).

Thanks,

Nitin.