Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
0
Helpful
1
Replies

DNS after IPSec VPN connects

Muhammed Islam
Level 1
Level 1

‎05-15-2013 08:09 AM

I have an ASA5510 configured for IPSec VPN.

Two Windows client PCs (each on separate ISP broadband lines) can successfully connect to it and detect the VPN's DNS (on its "inside" interface) which allows RDP access to terminal servers (also on the "inside" interface).

Other Windows client PCs (using different ISP broadband/mobile lines) can connect to the same VPN but do not detect its DNS - they instead detect their own ISP's DNS.

This means they cannot RDP to these terminal servers.

Below is a running config of my ASA.

< start of config >

HF003088-CLCH-PG-IPSec-FW1# sh ru

: Saved

:

ASA Version 8.2(5)

!

hostname HF003088-CLCH-PG-IPSec-FW1

domain-name riverside.nhs.uk

enable password iVamNSP6IPQcCHIY encrypted

passwd qXY8JKej0SAhi0GD encrypted

no names

dns-guard

!

interface Ethernet0/0

nameif Easynet-Outside

security-level 0

ip address 217.207.189.197 255.255.255.240

!

interface Ethernet0/1

nameif CLCH-Inside

security-level 100

ip address 192.168.50.6 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Easynet-Outside

dns domain-lookup CLCH-Inside

dns server-group DefaultDNS

name-server 192.168.55.114

name-server 192.168.25.59

domain-name riverside.nhs.uk

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list NONAT-001 extended permit ip 192.168.25.0 255.255.255.0 10.252.1.0 2

55.255.255.0

access-list NONAT-001 extended permit ip 192.168.49.0 255.255.255.0 10.252.1.0 2

55.255.255.0

access-list NONAT-001 extended permit ip 192.168.55.0 255.255.255.0 10.252.1.0 2

55.255.255.0

access-list NONAT-001 extended permit ip 192.168.50.0 255.255.255.0 10.252.1.0 2

55.255.255.0

access-list NONAT-001 extended permit ip 192.168.4.0 255.255.255.0 10.252.1.0 25

5.255.255.0

access-list clchsplittunnel-001 standard permit 192.168.50.0 255.255.255.0

access-list clchsplittunnel-001 standard permit 192.168.25.0 255.255.255.0

access-list clchsplittunnel-001 standard permit 192.168.55.0 255.255.255.0

access-list clchsplittunnel-001 standard permit 192.168.49.0 255.255.255.0

access-list clchsplittunnel-001 standard permit 192.168.4.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Easynet-Outside 1500

mtu CLCH-Inside 1500

mtu management 1500

ip local pool clchip 10.252.1.10-10.252.1.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.50.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.50.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo-reply CLCH-Inside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (Easynet-Outside) 1 interface

nat (CLCH-Inside) 0 access-list NONAT-001

nat (CLCH-Inside) 1 0.0.0.0 0.0.0.0

route Easynet-Outside 0.0.0.0 0.0.0.0 217.207.189.193 1

route CLCH-Inside 192.168.0.0 255.255.0.0 192.168.50.1 1

route CLCH-Inside 192.168.25.0 255.255.255.0 192.168.50.1 1

route CLCH-Inside 192.168.49.0 255.255.255.0 192.168.50.1 1

route CLCH-Inside 192.168.55.0 255.255.255.0 192.168.50.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server clchntserver protocol nt

reactivation-mode timed

aaa-server clchntserver (CLCH-Inside) host 192.168.55.114

nt-auth-domain-controller 192.168.55.114

aaa-server clchntserver (CLCH-Inside) host 192.168.25.59

nt-auth-domain-controller 192.168.25.59

http server enable

http 192.168.50.0 255.255.255.0 CLCH-Inside

http 192.168.55.0 255.255.255.0 CLCH-Inside

http 192.168.25.0 255.255.255.0 CLCH-Inside

http 192.168.1.0 255.255.255.0 management

snmp-server host CLCH-Inside 192.168.49.17 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set clchset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map clchdymap 1 set transform-set clchset

crypto dynamic-map clchdymap 1 set reverse-route

crypto map clchmap 1 ipsec-isakmp dynamic clchdymap

crypto map clchmap interface Easynet-Outside

crypto isakmp identity hostname

crypto isakmp enable Easynet-Outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no crypto isakmp nat-traversal

telnet 192.168.50.0 255.255.255.0 CLCH-Inside

telnet 192.168.25.0 255.255.255.0 CLCH-Inside

telnet 192.168.55.0 255.255.255.0 CLCH-Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy clchpolicy internal

group-policy clchpolicy attributes

dns-server value 192.168.55.114 192.168.25.59

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value clchsplittunnel-001

default-domain value riverside.nhs.uk

tunnel-group clchgroup type remote-access

tunnel-group clchgroup general-attributes

address-pool clchip

authentication-server-group clchntserver

default-group-policy clchpolicy

tunnel-group clchgroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

< end of config >

Any help to resolve this I would appreciate.

Muhammed Islam

Labels:
0 Helpful
1 Reply 1

Muhammed Islam
Level 1
Level 1

‎05-17-2013 04:07 AM

I was able to resolve this by adding the correct acess control lists and ensuring my LAN connection could successfully ping my VPN client IP.

Muhammed

0 Helpful
Customers Also Viewed These Support Documents