cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1914
Views
0
Helpful
12
Replies

DNS Server

mdavis
Level 1
Level 1

Hello, I have recently established a VPN connection using a new ASA5510. I am trying to enable DNS so that names can be used instead of IP addresses. I am trying to use the ASDM to accomplish this as I am not very familiar with the ASA CLI. Any Help will be greatly appreciated. I am using version 6.3 of the ASDM.

12 Replies 12

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mark,

It would help to know what sort of VPN is this (IPSec, SSL, lan-to-lan, remote) and what is initator for VPN (mobile phone, another appliace, client).

Typically what you need in case of remote access is DNS-server and domain-name to send to the clinet.

Marcin

Marcin, it is an IPSec setup and the initiator is a client. So I would remote from my computer at home and login successfully. However when I go to remote desktop and use a name instead of an IP I am unable to connect. In the ASDM I have the server and domain setup and I enabled an interface per the documentation but I am still unable to connect.

Mark,

I don't have a ASDM anywhere on top.

But the two settings you need to change for you Cisco VPN client to resolve names properly (note that mac/iphone/ipad users might behave differently) is this:

group-policy NAME_HERE internal
group-policy NAME_HERE attributes
dns-server value 1.1.2.3 2.4.5.6
default-domain value mydomain.com

I don't remember the exact name in ASDM but I believe it will be a profile or group setting.

So what I'm essentially saying here is that user using group policy NAME_HERE are going to use 1.1.2.3 and 2.4.5.6 as theit DNS servers and if I don't specify a FQDN, we will assume NAME.mydomain.com.

Again, I could probably map those easily to ASDM if I had access to one at 1AM in the morning ;-)

Marcin

Marcin attached is the screen shot of the ASA and the DNS settings that according to the manual should work. I did have the interfaces enabled before but changed it back to default as as it was not working.

Mark,

Hold on, the settings are just for appliance itself.

I'm getting asdm onto my lab device, will update this post with screenshot.

Edit:

Added two screenshots:

1) Where to change DNS settings for VPN users.

2) How to check under which group-policy a particular user is landing.

Marcin

Marcin, thank you very much. I applied the settings but still no luck in using names to connect to remote desktop. I am trying to see if a ACL or something is blocking it. Using IP works without a problem.

Mark,

You never mentioned you were using L2tp over IPsec ... maybe there something special in regards to it (don't remember from top of my head), I was always assuming Cisco VPN client ;-)

Can you please check for me if the settings were pushed from VPN headend to client "ipconfig /all" should show you.

Please be aware the default-domain will not be sent in case of l2tp over ipsec connection:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse74376

Are you using "host.mydomain.com" or just "host" when connecting via RDP?

Marcin

I use just the host name when connecting. The domain is not required. Here is a copy of my ipconfig from my laptop the remote client. It even shows that the dns server is recognized. Connection-specific DNS Suffix  . Log attached
Description . . . . . . . . . . . : EVAC
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.18.11.202(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.0.25
NetBIOS over Tcpip. . . . . . . . : Enabled

Mark,

OK let's check dns resolution only.

Can you check nslookup and try to try to resolve:

hostname

and

hostname.domain.com

Since default-domain is not sent I guess the first one should fail.

In the log you indicated - what is the Teardown message saying - what is the reason?

Marcin

Hey Marcin here are the results from the NSlookup

C:\Users\Jacqueline>nslookup 192.168.0.25
Server:  evacdc1.evacamb.org
Address:  192.168.0.25

Name:    evacdc1.evacamb.org
Address:  192.168.0.25


C:\Users\Jacqueline>nslookup evacdc1
Server:  evacdc1.evacamb.org
Address:  192.168.0.25

*** evacdc1.evacamb.org can't find evacdc1: Server failed

Marcin the settings are now working and i am able to connect using names.doamin. Thank you very much for your help.

Mark,

Cool! What did the trick?

Can you also mark this thread as resolved?

Marcin