Re: Easy VPN clients and DNS

Berto.Luis1 · ‎07-27-2012

HI There!

I have a Cisco 881 router that I am using to connect our main office to an AWS VPC. I was able to configure it and it works just fine. I also configured an EASY VPN server for outside users and I can authenticate as well (Using Mac native VPN connection). However, my poblem is the VPN clients are not automatically being assigned out internal DNS server(s). When I do an nslookup, it is using its router DNS config, not the one assigned by the VPN tunnel.

I am by any means an expert on Cisco devices, so I had to configure this via CCP.

I was hoping that there is someone out there that can tell me what I need to do via the gui.

Here is the current config:

Building configuration...

Current configuration : 11423 bytes

!

! Last configuration change at 13:11:23 PCTime Fri Jul 27 2012 by zephyr1

! NVRAM config last updated at 13:25:30 PCTime Fri Jul 27 2012 by zephyr1

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname zhi-rtr1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authentication login ciscocp_vpn_xauth_ml_4 local

aaa authentication login ciscocp_vpn_xauth_ml_5 local

aaa authentication login ciscocp_vpn_xauth_ml_6 local

aaa authentication login ciscocp_vpn_xauth_ml_7 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

!

aaa session-id common

!

memory-size iomem 10

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2916088173

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2916088173

revocation-check none

rsakeypair TP-self-signed-2916088173

!

crypto pki certificate chain TP-self-signed-2916088173

certificate self-signed 01

quit

no ip source-route

!

ip dhcp excluded-address 10.0.1.1 10.0.1.99

ip dhcp excluded-address 10.0.1.201 10.0.1.254

!

ip dhcp pool ccp-pool1

import all

network 10.0.1.0 255.255.255.0

dns-server 10.1.0.5 8.8.8.8

default-router 10.0.1.1

!

ip cef

no ip bootp server

ip domain name zephyrhealthinc.com

ip name-server 8.8.8.8

ip name-server 10.1.0.5

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ1617927U

license accept end user agreement

license boot module c880-data level advipservices

!

username

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto keyring keyring-vpn-9ec91a80-0

pre-shared-key address

crypto keyring keyring-vpn-9ec91a80-1

pre-shared-key address

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 200

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 201

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp keepalive 10 10

!

crypto isakmp client configuration group users

key letmein!!!

dns 10.1.0.5

domain zephyr-intranet.com

pool vpn-dhcp

acl 100

split-dns zephyr-intranet.com

crypto isakmp profile isakmp-vpn-9ec91a80-0

keyring keyring-vpn-9ec91a80-0

match identity address x.x.x.x 255.255.255.255

crypto isakmp profile isakmp-vpn-9ec91a80-1

keyring keyring-vpn-9ec91a80-1

match identity address x.x.x.x 255.255.255.255

crypto isakmp profile ciscocp-ike-profile-1

match identity group users

client authentication list ciscocp_vpn_xauth_ml_6

isakmp authorization list ciscocp_vpn_group_ml_4

client configuration address respond

virtual-template 3

!

crypto ipsec security-association replay window-size 128

!

crypto ipsec transform-set ipsec-prop-vpn-9ec91a80-0 esp-aes esp-sha-hmac

crypto ipsec transform-set ipsec-prop-vpn-9ec91a80-1 esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 28800

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec profile ipsec-vpn-9ec91a80-0

set transform-set ipsec-prop-vpn-9ec91a80-0

set pfs group2

!

crypto ipsec profile ipsec-vpn-9ec91a80-1

set transform-set ipsec-prop-vpn-9ec91a80-1

set pfs group2

!

interface Loopback0

ip address 10.2.0.1 255.255.255.0

!

interface Tunnel1

ip address x.x.x.x 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

ip tcp adjust-mss 1387

tunnel source 75.101.56.200

tunnel mode ipsec ipv4

tunnel destination x.x.x.x

tunnel protection ipsec profile ipsec-vpn-9ec91a80-0

!

interface Tunnel2

ip address x.x.x.x 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

ip tcp adjust-mss 1387

tunnel source x.x.x.x

tunnel mode ipsec ipv4

tunnel destination x.x.x.x

tunnel protection ipsec profile ipsec-vpn-9ec91a80-1

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Virtual-Template3 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template4

ip unnumbered Loopback0

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.0.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

router bgp 65000

bgp log-neighbor-changes

neighbor x.x.x.x remote-as 7224

neighbor x.x.x.x timers 10 30 30

neighbor x.x.x.x remote-as 7224

neighbor x.x.x.x timers 10 30 30

!

address-family ipv4

no synchronization

network 0.0.0.0

neighbor x.x.x.x activate

neighbor x.x.x.x default-originate

neighbor x.x.x.x soft-reconfiguration inbound

neighbor x.x.x.x activate

neighbor x.x.x.x default-originate

neighbor x.x.x.x soft-reconfiguration inbound

no auto-summary

exit-address-family

!

ip local pool vpn-dhcp 10.2.0.100

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

ip access-list extended NAT

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.0.1.0 0.0.0.255

access-list 2 deny any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark 10.1.0.0

access-list 100 permit ip 10.1.0.0 0.0.0.255 any

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 100 remark All

access-list 100 permit ip host 10.0.0.0 any

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address x.x.x.x port 443

http-redirect port 80

ssl trustpoint TP-self-signed-2916088173

no inservice

!

webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 1

!

webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.4.1012-k9.pkg sequence 2

!

webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 3

!

webvpn context zhi-vpn

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

policy group policy_1

functions svc-enabled

svc address-pool "vpn-dhcp"

svc default-domain "x.x.x.x"

svc keep-client-installed

svc split include 10.0.0.0 255.255.255.0

svc split include 10.1.0.0 255.255.255.0

svc dns-server primary 8.8.8.8

svc dns-server secondary 10.1.0.5

virtual-template 4

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_7

gateway gateway_1

no inservice

!

end

I also want to note, that I configured web-vpn/SSL-VPN and am not using it - we prefered to use the native client on our machines intead.

Thanks!!!

Javier Portuguez · ‎07-27-2012

Hi Berto,

Checking your configuration the DNS server is in there:

crypto isakmp client configuration group users

dns 10.1.0.5

!

What if you connect from a Windows client, does it work?

Can you ping ht 10.1.0.5 IP?

Please include the following "ifconfig" output once connected.

Thanks.

Portu

Berto.Luis1 · ‎07-30-2012

Hi Portu!

After banging my head on my keyboard - here is what I found. I am pretty sure its a client issue with OSX Lion.

crypto isakmp client configuration group users

dns 10.1.0.5

I know that is right, you know thats right... I could ping the server (connection is fine) and do an nslookup against that server, i.e. nslookup blah 10.1.0.5. So based on that, I know communication is working.

To test, I stood up a websever on the other side of the VPN tunnel, typed in the DNS hostname in my browser, and it worked. Head scratcher. Havent tested a windows client, as I dont have a windows box handy.

So, is there a way to get this to work properly? Using nslookup, dig, etc., would be might handy for trouble shooting!

Also,

I noticed this morning that I can only have one concurrent vpn client connection to my router at once. Should I start another thread?