07-27-2012 01:38 PM
HI There!
I have a Cisco 881 router that I am using to connect our main office to an AWS VPC. I was able to configure it and it works just fine. I also configured an EASY VPN server for outside users and I can authenticate as well (Using Mac native VPN connection). However, my poblem is the VPN clients are not automatically being assigned out internal DNS server(s). When I do an nslookup, it is using its router DNS config, not the one assigned by the VPN tunnel.
I am by any means an expert on Cisco devices, so I had to configure this via CCP.
I was hoping that there is someone out there that can tell me what I need to do via the gui.
Here is the current config:
Building configuration...
Current configuration : 11423 bytes
!
! Last configuration change at 13:11:23 PCTime Fri Jul 27 2012 by zephyr1
! NVRAM config last updated at 13:25:30 PCTime Fri Jul 27 2012 by zephyr1
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname zhi-rtr1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authentication login ciscocp_vpn_xauth_ml_4 local
aaa authentication login ciscocp_vpn_xauth_ml_5 local
aaa authentication login ciscocp_vpn_xauth_ml_6 local
aaa authentication login ciscocp_vpn_xauth_ml_7 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
aaa authorization network ciscocp_vpn_group_ml_4 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2916088173
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2916088173
revocation-check none
rsakeypair TP-self-signed-2916088173
!
!
crypto pki certificate chain TP-self-signed-2916088173
certificate self-signed 01
<hidden>
quit
no ip source-route
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 10.0.1.201 10.0.1.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.1.0 255.255.255.0
dns-server 10.1.0.5 8.8.8.8
default-router 10.0.1.1
!
!
ip cef
no ip bootp server
ip domain name zephyrhealthinc.com
ip name-server 8.8.8.8
ip name-server 10.1.0.5
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1617927U
license accept end user agreement
license boot module c880-data level advipservices
!
!
username
username
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto keyring keyring-vpn-9ec91a80-0
pre-shared-key address
crypto keyring keyring-vpn-9ec91a80-1
pre-shared-key address
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
!
crypto isakmp client configuration group users
key letmein!!!
dns 10.1.0.5
domain zephyr-intranet.com
pool vpn-dhcp
acl 100
split-dns zephyr-intranet.com
crypto isakmp profile isakmp-vpn-9ec91a80-0
keyring keyring-vpn-9ec91a80-0
match identity address x.x.x.x 255.255.255.255
crypto isakmp profile isakmp-vpn-9ec91a80-1
keyring keyring-vpn-9ec91a80-1
match identity address x.x.x.x 255.255.255.255
crypto isakmp profile ciscocp-ike-profile-1
match identity group users
client authentication list ciscocp_vpn_xauth_ml_6
isakmp authorization list ciscocp_vpn_group_ml_4
client configuration address respond
virtual-template 3
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-9ec91a80-0 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-9ec91a80-1 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile ipsec-vpn-9ec91a80-0
set transform-set ipsec-prop-vpn-9ec91a80-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-9ec91a80-1
set transform-set ipsec-prop-vpn-9ec91a80-1
set pfs group2
!
!
!
!
!
!
interface Loopback0
ip address 10.2.0.1 255.255.255.0
!
!
interface Tunnel1
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source 75.101.56.200
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile ipsec-vpn-9ec91a80-0
!
!
interface Tunnel2
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source x.x.x.x
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile ipsec-vpn-9ec91a80-1
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
!
interface Virtual-Template3 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Virtual-Template4
ip unnumbered Loopback0
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
router bgp 65000
bgp log-neighbor-changes
neighbor x.x.x.x remote-as 7224
neighbor x.x.x.x timers 10 30 30
neighbor x.x.x.x remote-as 7224
neighbor x.x.x.x timers 10 30 30
!
address-family ipv4
no synchronization
network 0.0.0.0
neighbor x.x.x.x activate
neighbor x.x.x.x default-originate
neighbor x.x.x.x soft-reconfiguration inbound
neighbor x.x.x.x activate
neighbor x.x.x.x default-originate
neighbor x.x.x.x soft-reconfiguration inbound
no auto-summary
exit-address-family
!
ip local pool vpn-dhcp 10.2.0.100
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip access-list extended NAT
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=4
access-list 100 remark 10.1.0.0
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 remark All
access-list 100 permit ip host 10.0.0.0 any
no cdp run
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2916088173
no inservice
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.4.1012-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 3
!
webvpn context zhi-vpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "vpn-dhcp"
svc default-domain "x.x.x.x"
svc keep-client-installed
svc split include 10.0.0.0 255.255.255.0
svc split include 10.1.0.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 10.1.0.5
virtual-template 4
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_7
gateway gateway_1
no inservice
!
end
I also want to note, that I configured web-vpn/SSL-VPN and am not using it - we prefered to use the native client on our machines intead.
Thanks!!!
07-27-2012 11:25 PM
Hi Berto,
Checking your configuration the DNS server is in there:
crypto isakmp client configuration group users
dns 10.1.0.5
!
What if you connect from a Windows client, does it work?
Can you ping ht 10.1.0.5 IP?
Please include the following "ifconfig" output once connected.
Thanks.
Portu
07-30-2012 08:11 AM
Hi Portu!
After banging my head on my keyboard - here is what I found. I am pretty sure its a client issue with OSX Lion.
crypto isakmp client configuration group users
dns 10.1.0.5
I know that is right, you know thats right... I could ping the server (connection is fine) and do an nslookup against that server, i.e. nslookup blah 10.1.0.5. So based on that, I know communication is working.
To test, I stood up a websever on the other side of the VPN tunnel, typed in the DNS hostname in my browser, and it worked. Head scratcher. Havent tested a windows client, as I dont have a windows box handy.
So, is there a way to get this to work properly? Using nslookup, dig, etc., would be might handy for trouble shooting!
Also,
I noticed this morning that I can only have one concurrent vpn client connection to my router at once. Should I start another thread?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide