Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
1
Replies

Problem with Cisco 851 Split-dns

sjalan
Level 1
Level 1

‎12-02-2006 08:41 AM - edited ‎03-05-2019 01:08 PM

I have configured a Cisco 851 (IOS 12.4(11)T) to connect to the Cisco 3000 Concentrator (v4.72G). I am having multiple problems:

1. On the concentrator I have specified multiple domain names for split DNS "hq.portablesunlimited.com,hq.cellfonestore.com". However I see only the first name created for the dns views.

2. We have a static WAN IP address with a fixed DNS Server name given by our ISP. I am using the same DNS name on the client PCs connected to the 851. I am able to resolve any external names for e.g. "www.google.com". When I try to resolve a DNS address (Split-DNS) for e.g. server.hq.portablesunlimited.com, it fails to resolve the address. I tried to specify the address of 815 (10.0.0.1) as the DNS server for the clients, in this case the clients do not resolve any address. However if I go to the 851 console and ping say "www.yahoo.com" it works and then I can resolve that address "www.yahoo.com" from the client PCs also.

I don't have any firewall or NAT enabled on the 851.

Here is the 851 config file:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname firewall

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 xxxxxxxxxxxx

!

no aaa new-model

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip dhcp use vrf connected

ip dhcp excluded-address 10.220.1.1 10.220.1.99

ip dhcp excluded-address 10.220.1.201 10.220.1.254

!

ip dhcp pool sdm-pool1

import all

network 10.220.1.0 255.255.255.0

dns-server 129.x.x.80

default-router 10.220.1.1

!

ip cef

ip domain name mydomain.com

ip name-server 129.x.x.80

!

crypto pki trustpoint TP-self-signed-3072999871

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3072999871

revocation-check none

rsakeypair TP-self-signed-3072999871

!

crypto ipsec client ezvpn VPN1

connect auto

group xyz key xyz

mode network-extension

peer x.x.x.x

username xyz password xyz

xauth userid mode local

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 129.34.x.x.255.255.240

duplex auto

speed auto

crypto ipsec client ezvpn VPN1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.220.1.1 255.255.255.0

ip tcp adjust-mss 1452

crypto ipsec client ezvpn VPN1 inside

!

ip route 0.0.0.0 0.0.x.x.34.7.82

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns view ezvpn-internal-view

domain name-server 10.128.1.10

ip dns view-list ezvpn-internal-viewlist

view ezvpn-internal-view 10

restrict name-group 1

view default 20

ip dns name-list 1 permit HQ.PORTABLESUNLIMITED.COM

ip dns server view-group ezvpn-internal-viewlist

!

no cdp run

!

end

Labels:
0 Helpful
1 Reply 1

beth-martin
Level 5
Level 5

‎12-07-2006 02:09 PM

To resolve this issue, perform these steps:

1) Make sure the VPN server (PIX Firewall, Cisco VPN Concentrator or a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.

2) If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.

3) To assign the DNS server's IP address for the VPN Client's, issue these commands:

a) On the PIX Firewall:

vpngroup test dns-server x.x.x.x

Note: The test dns-server is an optional parameter that is available when issuing the vpngroup command.

b) On the router:

crypto isakmp client configuration group 3000client

dns x.x.x.x

c) On the VPN Concentrator:

Go under Configuration > User Management > Groups.

Select the group you are working with and click Modify Group.

Go to the General tab and scroll down. You can assign DNS settings to the clients in this location. Make sure the correct IP address was specified.

4) If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.

You can also refer to the Cisco documentation on Configuring Split and Dynamic DNS on the Cisco VPN 3000 Concentrator

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008015f324.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card