Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Bizzare split tunnel issue on Pix..

Reply
Thread Tools

Bizzare split tunnel issue on Pix..

 
 
Brian V
Guest
Posts: n/a
 
      01-01-2006
Hey all,

6.3(5), Pix 501 50user lic.

VPN works great with the exception of DNS. Pulling my hair out over this
one. Here's the deal.

Small customer with no internal DNS or WINS.

I had to change the VPN pool from a different subnet (192.168.1.0/24) to
using the same subnet as the internal lan (192.168.0.0/24), due to a windows
firewall issue with it having to be on the same subnet...no biggie....
Adjusted the VPN config, budda-bing everything working, can now do file and
print sharing, tested split tunnel by pinging a well known IP, everything
looks great. Tell the customer he's all set and I'm off on my merry way.

Get a call back, split tunneling isn't working.....I VPN back in, I'm
pinging IP's left and right....I see no issues. I open up a browser, no DNS,
I ping by name, again, no DNS. I ping the DNS server by IP and it works
perfect. I do an nslookup from the DNS server, up any running no problem.

This makes no sense! I've tried eveything I could think of by modifying the
split tunnel list, from hosts only to denying 53, nothing seems to work.

Anyone run into this? Found any work arounds? Something screwed up in my
config (posted below)? Damn, done 1000's of these things, never ran into
this issue before!

If I roll back to using a seperate subnet for the VPN, DNS works fine, but
file and print sharing breaks. Really don't feel like walking this guy thru
changing all his windows firewall settings (which does work by allowing any
to connect, I tried that).

Thanks,
-Brian

pixfirewall# wr t
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name ABC clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.0
access-list splittunnel permit ip 192.168.0.0 255.255.255.0 192.168.0.0
255.255.255.0
pager lines 24
logging console notifications
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.0.215-192.168.0.225
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxx address-pool VPNPool
vpngroup xxxxx dns-server 4.2.2.2 4.2.2.1
vpngroup xxxxx default-domain ABC
vpngroup xxxxx split-tunnel splittunnel
vpngroup xxxxx idle-time 1800
vpngroup xxxxx password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.125-192.168.0.175 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ABC
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cfa6fe6a825ab7673096a834d2a9bbfb
: end
[OK]


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-01-2006
In article <(E-Mail Removed)>,
Brian V <(E-Mail Removed)> wrote:
>6.3(5), Pix 501 50user lic.


>VPN works great with the exception of DNS. Pulling my hair out over this
>one. Here's the deal.


>Small customer with no internal DNS or WINS.


>I had to change the VPN pool from a different subnet (192.168.1.0/24) to
>using the same subnet as the internal lan (192.168.0.0/24), due to a windows
>firewall issue with it having to be on the same subnet...no biggie....


If you use a VPN pool that overlaps your inside subnet then you should
expect your VPN to fail completely.


>If I roll back to using a seperate subnet for the VPN, DNS works fine, but
>file and print sharing breaks.


Sounds like you don't have WINS set up. And indeed I notice your
vpngroup configuration contains no WINS setting.


>ip address outside dhcp setroute


>crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>crypto map outside_map interface outside


dynamic-maps are really only for use on systems with fixed IP addresses.
On the other hand, the -real- problem with such a configuration is
getting knowledge of the outside IP propagated to the clients: if they
are able to figure out where you are, then there isn't any real
technical barrier to using a dynamic map for them (provided your
isakmp identity is set to hostname.)
--
"law -- it's a commodity"
-- Andrew Ryan (The Globe and Mail, 2005/11/26)
 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      01-01-2006

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:dp7fja$mss$(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> Brian V <(E-Mail Removed)> wrote:
>>6.3(5), Pix 501 50user lic.

>
>>VPN works great with the exception of DNS. Pulling my hair out over this
>>one. Here's the deal.

>
>>Small customer with no internal DNS or WINS.

>
>>I had to change the VPN pool from a different subnet (192.168.1.0/24) to
>>using the same subnet as the internal lan (192.168.0.0/24), due to a
>>windows
>>firewall issue with it having to be on the same subnet...no biggie....

>
> If you use a VPN pool that overlaps your inside subnet then you should
> expect your VPN to fail completely.
>


Typically I use a different subnet for the VPN pool but I needed to find a
way to "bypass" the XP firewall settings for file and print share. The XP
firewall default is "local network", thus having to use the same subnet in
the VPN pool. That's what's different about this customer, it's all XP, no
servers where file serve is typically done from. I didn't know how it was
going to act using the same subnet for the pool, believe me, I was surprised
it worked at all. Now it's just this stupid DNS issue that's holding it up.


>
>>If I roll back to using a seperate subnet for the VPN, DNS works fine, but
>>file and print sharing breaks.

>
> Sounds like you don't have WINS set up. And indeed I notice your
> vpngroup configuration contains no WINS setting.
>


Yes, there is no WINS. I specified that earlier in my post. The customer is
a very small shop, no internal servers, just a dozen or so XP workstations.
Rely on netbios for named file and print share internally. It is not a WINS
issue that causes it to break anyways, it's an XP firewall issue that causes
it to break by using a different subnet.

>
>>ip address outside dhcp setroute

>
>>crypto dynamic-map outside_dyn_map 20 match address
>>outside_cryptomap_dyn_20
>>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>>crypto map outside_map interface outside

>
> dynamic-maps are really only for use on systems with fixed IP addresses.
> On the other hand, the -real- problem with such a configuration is
> getting knowledge of the outside IP propagated to the clients: if they
> are able to figure out where you are, then there isn't any real
> technical barrier to using a dynamic map for them (provided your
> isakmp identity is set to hostname.)
> --


99% of cable systems around here use DHCP that almost never changes. Rather
than staticing the WAN side, leave it in DHCP mode that way the office
doesn't go down if the IP changes, worse case is having to put a new IP into
the VPN profile on a couple of machines. No other way I know of that you can
create a remote access VPN without having a dynamic map.

Thanks Walter!
-Brian


 
Reply With Quote
 
response3
Guest
Posts: n/a
 
      01-01-2006
I've got a client vpn setup with overlapping IP subnets. For example,
firewall is on a class B network, and my remote vpn clients are on a
subnetted portion of this. Have you tried using split-dns? This works
in the same manner as split-tunneling, where any domains that you have
specified in the config for lookup are passed thru the tunnel,
everything else is passed to the clients ISP dns server. Here is a
sample config entry:

vpngroup xxxxxxxx split-dns abccorp.local

Brian

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      01-01-2006

"response3" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I've got a client vpn setup with overlapping IP subnets. For example,
> firewall is on a class B network, and my remote vpn clients are on a
> subnetted portion of this. Have you tried using split-dns? This works
> in the same manner as split-tunneling, where any domains that you have
> specified in the config for lookup are passed thru the tunnel,
> everything else is passed to the clients ISP dns server. Here is a
> sample config entry:
>
> vpngroup xxxxxxxx split-dns abccorp.local
>
> Brian
>


Out friggin standing! Worked like a champ. Never even thought about that.

Thanks!
-Brian


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bizzare ViewState issue (ASP.NET) dmartu Software 0 12-04-2008 10:26 AM
ASPImage: bizzare concat issue Kelly ASP General 0 02-08-2006 02:38 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Bizzare: Invalid path to Access mdb, path is good Keith-Earl ASP .Net 1 05-03-2004 03:25 PM
Bizzare session variable issue bill joyce ASP .Net 3 10-20-2003 10:41 PM



Advertisments