Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
1
Replies

DNS issue on IPSec site to site

b0ying
Level 1
Level 1

‎06-16-2016 08:44 PM - edited ‎02-21-2020 08:51 PM

We've setup a IPsec site to site VPN tunnel.

Current transform set is on tunnel mode and I believe split tunneling is enabled.

All connection seems working fine. were able to ping from site A to site B and vice versa.

Were just having a problem on DNS, where we cant ping the DNS name but we can ping its IP.

example:

ping 10.160.1.2 = successful

ping DNS-SRV001 = failed

We believe that its the one causing our problem on client side where client cant join the domain.

Need your experts advice on this.

Thanks in advance,

Erick

need configuration info is below:

Site A

crypto isakmp policy 2
 encr aes 256
 hash md5
 authentication pre-share
 group 5
crypto isakmp key 6 TEST123 address YYY.YYY.YYY.YYY
!
!
crypto ipsec transform-set CMAP-Phase2 esp-aes 256 esp-sha-hmac
!
crypto map CMAP-Phase1 2 ipsec-isakmp
 description ** VPN to SITE B**
 set peer YYY.YYY.YYY.YYY
 set transform-set CMAP-Phase2
 match address 150

!

object-group network VPN-SITEB
 10.150.0.0 255.255.255.0
 10.150.1.0 255.255.255.0
 10.150.2.0 255.255.255.0
 10.150.3.0 255.255.255.0
 10.150.4.0 255.255.255.0
 10.150.5.0 255.255.255.0
 10.150.100.0 255.255.255.0
!
object-group network VPN-SITEA
 10.160.1.0 255.255.255.0
 10.160.0.0 255.255.255.0
 10.160.20.0 255.255.255.0
 10.160.10.0 255.255.255.0

!

ip nat inside source list SITEA_NAT_ADDRESS interface fastethernet 0/0 overload

!

ip access-list extended SITEA_NAT_ADDRESS
 deny   ip object-group VPN-SITEA object-group VPN-SITEB
 permit ip object-group VPN-SITEA any

!

access-list 150 permit ip 10.160.0.0 0.0.255.255 10.150.0.0 0.0.255.255

!

Site B

crypto isakmp policy 2
 encr aes 256
 hash md5
 authentication pre-share
 group 5
crypto isakmp key 6 TEST123 address XXX.XXX.XXX.XXX
!
crypto ipsec transform-set CMAP-Phase2 esp-aes 256 esp-sha-hmac
!
crypto map CMAP-Phase1 2 ipsec-isakmp
 description ** VPN to SITE A **
 set peer XXX.XXX.XXX.XXX
 set transform-set CMAP-Phase2
 match address 150

!

object-group network VPN-SITEB
 10.150.0.0 255.255.255.0
 10.150.1.0 255.255.255.0
 10.150.2.0 255.255.255.0
 10.150.3.0 255.255.255.0
 10.150.4.0 255.255.255.0
 10.150.5.0 255.255.255.0
 10.150.100.0 255.255.255.0
!
object-group network VPN-SITEA
 10.160.1.0 255.255.255.0
 10.160.0.0 255.255.255.0
 10.160.20.0 255.255.255.0
 10.160.10.0 255.255.255.0

!

ip nat inside source list SITEB_NAT_ADDRESS interface fastethernet 0/0 overload

!

ip access-list extended SITEB_NAT_ADDRESS
 deny   ip object-group VPN-SITEB object-group VPN-SITEA
 permit ip object-group VPN-SITEB any

!

access-list 150 permit ip 10.150.0.0 0.0.255.255 10.160.0.0 0.0.255.255

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎06-17-2016 12:00 AM

That problem is not related to VPNs but to the way a computer resolves names. Your PCs should:

  • use the FQDN to resolve names instead of hostnames (srv001.company.intern instead of srv001)
  • use a DNS-server that can resolve the FQDNs
0 Helpful
Customers Also Viewed These Support Documents