Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > DNS Issue over Site -Site VPN Tunnel.

Reply
Thread Tools

DNS Issue over Site -Site VPN Tunnel.

 
 
Knutts
Guest
Posts: n/a
 
      09-15-2006
Hi,

Have a problem with DNS requests over a IPSEC site - site VPN using a
Cisco 837 at either end. We can ping the DNS server IP address at the
remote end of the tunnel but can not ping the server name or join the
domain etc. We can browse the server using the IP address without any
issue. Configs below.

!This is the running config of the router: Remote Router
!----------------------------------------------------------------------------
!version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$UeOB$18cSXwZSBc6vkttEgbFGP0
!
username CRWS_dheeraj privilege 15 password 7
03400A4F315E276D0A06480A24371B0D50727E7C796B637340
username CRWS_Ritesh privilege 15 password 7
100A585D3246142A480B7B24170D23347342504257530F0C08 0A
username CRWS_Vijay privilege 15 password 7
125D5453255A0A256E2475270010321256465654000E0D000D 5C
username CRWS_Shashi privilege 15 password 7
06425E657B1F0F38411843043F213A2A7C7162657043564756
username CRWS_Bijoy privilege 15 password 7
09081F4D2E5411334F03552518013832647740514052540509 09
username CRWS_Gayatri privilege 15 password 7
1453434F3B552C0A6027623A11361717525302080E010C5E57
username CRWS_Sangeetha privilege 15 password 7
1453434F3B552C0A6027623A113617175151070F080A0D5C55 48
username CRWS_Prem privilege 15 password 7
0242551F3C570900084158163632020A5D5C7373767A626277 41
username CRWS_Jaidil privilege 15 password 7
015757406C5A002E65431F062A2007135A5F567E7C7571626C 7A
username CRWS_Giri privilege 15 password 7
114D484120430D2D40257A2B1B162523425040515205010B04 0D
username Router password 7 06211D7542495A2E554716
no aaa new-model
ip subnet-zero
ip name-server 192.168.20.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.3
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 xxxxxxxxx address 80.68.39.234
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to80.68.39.234
set peer 80.68.39.234
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete
this:192.168.20.254-255.255.255.0$ETH-LAN$
ip address 192.168.20.254 255.255.255.0
ip access-group 122 out
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address 80.68.42.226 255.255.255.240
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname http://www.velocityreviews.com/forums/(E-Mail Removed)
ppp chap password 7 040952535A20191B08
ppp pap sent-username (E-Mail Removed) password 7
124B5C42470A59512B
crypto map SDM_CMAP_1
!
ip nat inside source static udp 192.168.20.3 47 interface Dialer1 47
ip nat inside source static tcp 192.168.20.3 47 interface Dialer1 47
ip nat inside source static tcp 192.168.20.3 3101 interface Dialer1
3101
ip nat inside source static tcp 192.168.20.3 1723 interface Dialer1
1723
ip nat inside source static tcp 192.168.20.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.20.1 3389 interface Dialer1
3389
ip nat inside source static udp 192.168.20.3 1723 interface Dialer1
1723
ip nat inside source static tcp 192.168.20.1 1433 interface Dialer1
1433
ip nat inside source static udp 192.168.20.1 1433 interface Dialer1
1433
ip nat inside source static tcp 192.168.20.1 50 interface Dialer1 50
ip nat inside source static udp 192.168.20.1 50 interface Dialer1 50
ip nat inside source static tcp 192.168.20.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.20.1 110 interface Dialer1 110
ip nat inside source static tcp 192.168.20.1 25 interface Dialer1 25
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255
log
access-list 102 remark SDM_ACL Category=18
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255
log
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq www
access-list 111 permit udp any any eq 50
access-list 111 permit tcp any any eq 50
access-list 111 permit udp any any eq 1433
access-list 111 permit tcp any any eq 1433
access-list 111 permit udp any any eq 1723
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 3101
access-list 111 permit tcp any any eq 47
access-list 111 permit udp any any eq 47
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

!This is the running config of the router: Local Router
!----------------------------------------------------------------------------
!version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username chris privilege 15 secret 5 $1$jpZi$tKjkGHLhqtyY.TnMR/1f91
username robin privilege 15 secret 5 $1$O0tV$BiT9JZDMLXrGKmDl5DQap0
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.254
!
ip dhcp pool CLIENT
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.254
dns-server 192.168.50.254 80.68.34.6
lease 0 2
!
!
ip name-server 80.68.34.6
ip name-server 80.68.34.8
ip name-server 192.168.20.1
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 80.68.42.226
!
!
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
! Incomplete
description Tunnel to80.68.42.226
set peer 80.68.42.226
set transform-set ESP-3DES-SHA2
match address 103
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to80.68.42.226
set peer 80.68.42.226
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.50.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address 80.68.39.234 255.255.255.240
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname (E-Mail Removed)
ppp chap password 7 10160C18034610580D
ppp pap sent-username (E-Mail Removed) password 7
135D12130D5D06792A
crypto map SDM_CMAP_2
crypto ipsec df-bit clear
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 80.68.39.224 0.0.0.15 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end

 
Reply With Quote
 
 
 
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      09-17-2006
how hv you configured DNS for hosts on the remote router end? dns server is located in local router end ? forwarder is configured in DNS server?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site to Site VPN OK Call Manager Express tftp issues over VPN ? corb Cisco 3 05-13-2009 02:58 PM
VOIP over VPN over TCP over WAP over 3G Theo Markettos UK VOIP 2 02-14-2008 03:27 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
VPN 3000 site-to-site DNS queries The Other Mike Cisco 1 08-15-2007 01:22 PM
Site-to-site VPN with GRE over IPSec Daniel Cisco 8 02-24-2006 10:17 PM



Advertisments