Bizzare split tunnel issue on Pix..

Discussion in 'Cisco' started by Brian V, Jan 1, 2006.

  1. Brian V

    Brian V Guest

    Hey all,

    6.3(5), Pix 501 50user lic.

    VPN works great with the exception of DNS. Pulling my hair out over this
    one. Here's the deal.

    Small customer with no internal DNS or WINS.

    I had to change the VPN pool from a different subnet (192.168.1.0/24) to
    using the same subnet as the internal lan (192.168.0.0/24), due to a windows
    firewall issue with it having to be on the same subnet...no biggie....
    Adjusted the VPN config, budda-bing everything working, can now do file and
    print sharing, tested split tunnel by pinging a well known IP, everything
    looks great. Tell the customer he's all set and I'm off on my merry way.

    Get a call back, split tunneling isn't working.....I VPN back in, I'm
    pinging IP's left and right....I see no issues. I open up a browser, no DNS,
    I ping by name, again, no DNS. I ping the DNS server by IP and it works
    perfect. I do an nslookup from the DNS server, up any running no problem.

    This makes no sense! I've tried eveything I could think of by modifying the
    split tunnel list, from hosts only to denying 53, nothing seems to work.

    Anyone run into this? Found any work arounds? Something screwed up in my
    config (posted below)? Damn, done 1000's of these things, never ran into
    this issue before!

    If I roll back to using a seperate subnet for the VPN, DNS works fine, but
    file and print sharing breaks. Really don't feel like walking this guy thru
    changing all his windows firewall settings (which does work by allowing any
    to connect, I tried that).

    Thanks,
    -Brian

    pixfirewall# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password
    passwd
    hostname pixfirewall
    domain-name ABC clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.0
    access-list splittunnel permit ip 192.168.0.0 255.255.255.0 192.168.0.0
    255.255.255.0
    pager lines 24
    logging console notifications
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.0.215-192.168.0.225
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup xxxxx address-pool VPNPool
    vpngroup xxxxx dns-server 4.2.2.2 4.2.2.1
    vpngroup xxxxx default-domain ABC
    vpngroup xxxxx split-tunnel splittunnel
    vpngroup xxxxx idle-time 1800
    vpngroup xxxxx password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.0.125-192.168.0.175 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain ABC
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:cfa6fe6a825ab7673096a834d2a9bbfb
    : end
    [OK]
     
    Brian V, Jan 1, 2006
    #1
    1. Advertising

  2. In article <>,
    Brian V <> wrote:
    >6.3(5), Pix 501 50user lic.


    >VPN works great with the exception of DNS. Pulling my hair out over this
    >one. Here's the deal.


    >Small customer with no internal DNS or WINS.


    >I had to change the VPN pool from a different subnet (192.168.1.0/24) to
    >using the same subnet as the internal lan (192.168.0.0/24), due to a windows
    >firewall issue with it having to be on the same subnet...no biggie....


    If you use a VPN pool that overlaps your inside subnet then you should
    expect your VPN to fail completely.


    >If I roll back to using a seperate subnet for the VPN, DNS works fine, but
    >file and print sharing breaks.


    Sounds like you don't have WINS set up. And indeed I notice your
    vpngroup configuration contains no WINS setting.


    >ip address outside dhcp setroute


    >crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    >crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >crypto map outside_map interface outside


    dynamic-maps are really only for use on systems with fixed IP addresses.
    On the other hand, the -real- problem with such a configuration is
    getting knowledge of the outside IP propagated to the clients: if they
    are able to figure out where you are, then there isn't any real
    technical barrier to using a dynamic map for them (provided your
    isakmp identity is set to hostname.)
    --
    "law -- it's a commodity"
    -- Andrew Ryan (The Globe and Mail, 2005/11/26)
     
    Walter Roberson, Jan 1, 2006
    #2
    1. Advertising

  3. Brian V

    Brian V Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:dp7fja$mss$...
    > In article <>,
    > Brian V <> wrote:
    >>6.3(5), Pix 501 50user lic.

    >
    >>VPN works great with the exception of DNS. Pulling my hair out over this
    >>one. Here's the deal.

    >
    >>Small customer with no internal DNS or WINS.

    >
    >>I had to change the VPN pool from a different subnet (192.168.1.0/24) to
    >>using the same subnet as the internal lan (192.168.0.0/24), due to a
    >>windows
    >>firewall issue with it having to be on the same subnet...no biggie....

    >
    > If you use a VPN pool that overlaps your inside subnet then you should
    > expect your VPN to fail completely.
    >


    Typically I use a different subnet for the VPN pool but I needed to find a
    way to "bypass" the XP firewall settings for file and print share. The XP
    firewall default is "local network", thus having to use the same subnet in
    the VPN pool. That's what's different about this customer, it's all XP, no
    servers where file serve is typically done from. I didn't know how it was
    going to act using the same subnet for the pool, believe me, I was surprised
    it worked at all. Now it's just this stupid DNS issue that's holding it up.


    >
    >>If I roll back to using a seperate subnet for the VPN, DNS works fine, but
    >>file and print sharing breaks.

    >
    > Sounds like you don't have WINS set up. And indeed I notice your
    > vpngroup configuration contains no WINS setting.
    >


    Yes, there is no WINS. I specified that earlier in my post. The customer is
    a very small shop, no internal servers, just a dozen or so XP workstations.
    Rely on netbios for named file and print share internally. It is not a WINS
    issue that causes it to break anyways, it's an XP firewall issue that causes
    it to break by using a different subnet.

    >
    >>ip address outside dhcp setroute

    >
    >>crypto dynamic-map outside_dyn_map 20 match address
    >>outside_cryptomap_dyn_20
    >>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    >>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >>crypto map outside_map interface outside

    >
    > dynamic-maps are really only for use on systems with fixed IP addresses.
    > On the other hand, the -real- problem with such a configuration is
    > getting knowledge of the outside IP propagated to the clients: if they
    > are able to figure out where you are, then there isn't any real
    > technical barrier to using a dynamic map for them (provided your
    > isakmp identity is set to hostname.)
    > --


    99% of cable systems around here use DHCP that almost never changes. Rather
    than staticing the WAN side, leave it in DHCP mode that way the office
    doesn't go down if the IP changes, worse case is having to put a new IP into
    the VPN profile on a couple of machines. No other way I know of that you can
    create a remote access VPN without having a dynamic map.

    Thanks Walter!
    -Brian
     
    Brian V, Jan 1, 2006
    #3
  4. Brian V

    response3 Guest

    I've got a client vpn setup with overlapping IP subnets. For example,
    firewall is on a class B network, and my remote vpn clients are on a
    subnetted portion of this. Have you tried using split-dns? This works
    in the same manner as split-tunneling, where any domains that you have
    specified in the config for lookup are passed thru the tunnel,
    everything else is passed to the clients ISP dns server. Here is a
    sample config entry:

    vpngroup xxxxxxxx split-dns abccorp.local

    Brian
     
    response3, Jan 1, 2006
    #4
  5. Brian V

    Brian V Guest

    "response3" <> wrote in message
    news:...
    > I've got a client vpn setup with overlapping IP subnets. For example,
    > firewall is on a class B network, and my remote vpn clients are on a
    > subnetted portion of this. Have you tried using split-dns? This works
    > in the same manner as split-tunneling, where any domains that you have
    > specified in the config for lookup are passed thru the tunnel,
    > everything else is passed to the clients ISP dns server. Here is a
    > sample config entry:
    >
    > vpngroup xxxxxxxx split-dns abccorp.local
    >
    > Brian
    >


    Out friggin standing! Worked like a champ. Never even thought about that.

    Thanks!
    -Brian
     
    Brian V, Jan 1, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. someone

    Split-tunnel on Pix

    someone, Dec 5, 2003, in forum: Cisco
    Replies:
    8
    Views:
    1,853
    Michael Gorsuch
    Dec 9, 2003
  2. Greg
    Replies:
    3
    Views:
    448
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,147
  4. Muse Groops

    Bizzare website info needed.

    Muse Groops, May 4, 2007, in forum: Computer Support
    Replies:
    11
    Views:
    788
    Muse Groops
    May 5, 2007
  5. dmartu

    Bizzare ViewState issue (ASP.NET)

    dmartu, Dec 4, 2008, in forum: Software
    Replies:
    0
    Views:
    861
    dmartu
    Dec 4, 2008
Loading...

Share This Page