02-02-2018 10:18 PM - edited 03-08-2019 01:41 PM
Hi All
I have a 1811 configured with ezvpn in nem connecting to a 2921.
The connection establishes perfectly, the split-network works and I can access all systems withing the internal network. DNS on the 1811 works for the ISP and if I do an nslookup on the remote dns servers from a client that the 1811 it works.
My configuration is as follows, things in [] have been changed for security
The group section of the 2921 router is set as
crypto isakmp client configuration group [mygroupname]
key [mysetkey]
dns 10.242.1.6 10.242.1.5
domain office.pegasustech.com.au
pool pegasus-pool
acl PEGASUSSTAFFREMOTE-access
save-password
split-dns office.pegasustech.com.au
split-dns pegasustech.com.au
max-users 10
The relevant configuration on the 1811 is
crypto ipsec client ezvpn pegasus-connect
connect auto
group [mygroupname] key [mysetkey]
mode network-extension
peer [mypeerip]
username [myusername] password [mypassword]
xauth userid mode local
When the vpn connects with the following debug
debug ip dns name-list
debug ip dns view
debug ip dns view-list
the output is
Feb 3 15:28:47.791 Sydney: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=[myusername] Group= [mygroupname] Client_public_addr=192.168.1.9 Server_public_addr=[mypeerip] NEM_Remote_Subnets=10.242.129.0/255.255.255.0
Feb 3 15:28:47.791 Sydney: DNS_VIEW: creating view ezvpn-internal-view
DNS_VIEW: Setting domain name-server 10.242.1.6 10.242.1.5 in view ezvpn-internal-view
Feb 3 15:28:47.791 Sydney: DNS_NAMELIST: adding permit 'OFFICE.PEGASUSTECH.COM.AU' to name-list 1
Feb 3 15:28:47.791 Sydney: DNS_NAMELIST: adding permit 'PEGASUSTECH.COM.AU' to name-list 1
Feb 3 15:28:47.791 Sydney: DNS_VIEWLIST: creating view-list ezvpn-internal-viewlist internal
Feb 3 15:28:47.791 Sydney: DNS_VIEWLIST: adding member ezvpn-internal-view order 10 to view-list ezvpn-internal-viewlist
Feb 3 15:28:47.791 Sydney: DNS_VIEWLIST: adding member default order 20 to view-list ezvpn-internal-viewlist
Feb 3 15:28:47.791 Sydney: DNS_VIEWLIST: setting internal internal view-list ezvpn-internal-viewlist on interface BVI1
pegasus-casey-01(config-crypto-ezvpn)#
DNS_VIEW: Setting domain name-server 10.242.1.6 10.242.1.5 in view ezvpn-internal-view
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: adding permit 'OFFICE.PEGASUSTECH.COM.AU' to name-list 2
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: adding permit 'PEGASUSTECH.COM.AU' to name-list 2
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: removing name-list 2
DNS_VIEW: Setting domain name-server 10.242.1.6 10.242.1.5 in view ezvpn-internal-view
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: adding permit 'OFFICE.PEGASUSTECH.COM.AU' to name-list 2
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: adding permit 'PEGASUSTECH.COM.AU' to name-list 2
Feb 3 15:28:58.271 Sydney: DNS_NAMELIST: removing name-list 2
The name-list is visible
pegasus-casey-01#show ip dns name-list
ip dns name-list 1
permit OFFICE.PEGASUSTECH.COM.AU
permit PEGASUSTECH.COM.AU
The view list is empty, i beleve it should show ezvpn-internal-view
#show ip dns view-list
#
And the show views only shows the default view
show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is enabled
Default domain name: casey.pegasustech.com.au
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
192.168.1.1
DNS Server settings:
Forwarding of queries is enabled
Forwarder timeout: 3 seconds
Forwarder retries: 2
Forwarder addresses:
With the vpn enabled, nslookup for www.pegasustech.com.au returns failed
the 1811 router shows
DNS View ezvpn-internal-view used for client 10.242.129.20/51934, querying A 'www.pegasustech.com.au'
However when I disconnect the name list and view list seem to be being deleted
Feb 3 15:57:57.478 Sydney: DNS_VIEWLIST: deleting view-list ezvpn-internal-viewlist
Feb 3 15:57:57.478 Sydney: DNS_VIEW: deleting view ezvpn-internal-view
Feb 3 15:57:57.478 Sydney: DNS_NAMELIST: removing name-list 1
Feb 3 15:57:57.478 Sydney: DNS_VIEWLIST: removing internal view-list on interface BVI1
Feb 3 15:57:57.478 Sydney: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=[myusername] Group= [mygroupname] Client_public_addr=192.168.1.9 Server_pu
It all looks to be working, except there is no ezvpn-internal-view active
Anyone got any ideas ?
Thanks in advance
Mark
02-06-2018 10:56 PM
Hi All
Just an update
Has anyone got ezvpn split-dns in 'network extension mode' working with any system ?
Because I am seeing the same
with clients
877,887, 1811
with servers
2921 and ASA 5510
I an seeing exactly the same across all three clients to the 1921 and the 877 to both types of servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide