12-02-2006 08:41 AM - edited 03-05-2019 01:08 PM
I have configured a Cisco 851 (IOS 12.4(11)T) to connect to the Cisco 3000 Concentrator (v4.72G). I am having multiple problems:
1. On the concentrator I have specified multiple domain names for split DNS "hq.portablesunlimited.com,hq.cellfonestore.com". However I see only the first name created for the dns views.
2. We have a static WAN IP address with a fixed DNS Server name given by our ISP. I am using the same DNS name on the client PCs connected to the 851. I am able to resolve any external names for e.g. "www.google.com". When I try to resolve a DNS address (Split-DNS) for e.g. server.hq.portablesunlimited.com, it fails to resolve the address. I tried to specify the address of 815 (10.0.0.1) as the DNS server for the clients, in this case the clients do not resolve any address. However if I go to the 851 console and ping say "www.yahoo.com" it works and then I can resolve that address "www.yahoo.com" from the client PCs also.
I don't have any firewall or NAT enabled on the 851.
Here is the 851 config file:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname firewall
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 10.220.1.1 10.220.1.99
ip dhcp excluded-address 10.220.1.201 10.220.1.254
!
ip dhcp pool sdm-pool1
import all
network 10.220.1.0 255.255.255.0
dns-server 129.x.x.80
default-router 10.220.1.1
!
ip cef
ip domain name mydomain.com
ip name-server 129.x.x.80
!
crypto pki trustpoint TP-self-signed-3072999871
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3072999871
revocation-check none
rsakeypair TP-self-signed-3072999871
!
crypto ipsec client ezvpn VPN1
connect auto
group xyz key xyz
mode network-extension
peer x.x.x.x
username xyz password xyz
xauth userid mode local
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 129.34.x.x.255.255.240
duplex auto
speed auto
crypto ipsec client ezvpn VPN1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.220.1.1 255.255.255.0
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN1 inside
!
ip route 0.0.0.0 0.0.x.x.34.7.82
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns view ezvpn-internal-view
domain name-server 10.128.1.10
ip dns view-list ezvpn-internal-viewlist
view ezvpn-internal-view 10
restrict name-group 1
view default 20
ip dns name-list 1 permit HQ.PORTABLESUNLIMITED.COM
ip dns server view-group ezvpn-internal-viewlist
!
no cdp run
!
end
12-07-2006 02:09 PM
To resolve this issue, perform these steps:
1) Make sure the VPN server (PIX Firewall, Cisco VPN Concentrator or a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.
2) If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.
3) To assign the DNS server's IP address for the VPN Client's, issue these commands:
a) On the PIX Firewall:
vpngroup test dns-server x.x.x.x
Note: The test dns-server is an optional parameter that is available when issuing the vpngroup command.
b) On the router:
crypto isakmp client configuration group 3000client
dns x.x.x.x
c) On the VPN Concentrator:
Go under Configuration > User Management > Groups.
Select the group you are working with and click Modify Group.
Go to the General tab and scroll down. You can assign DNS settings to the clients in this location. Make sure the correct IP address was specified.
4) If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.
You can also refer to the Cisco documentation on Configuring Split and Dynamic DNS on the Cisco VPN 3000 Concentrator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide