PIX - PIX VPN DNS Problem

Discussion in 'Cisco' started by Stephen Evans, Oct 29, 2003.

  1. Hello all,

    Hope someone can help with this one as I cant seem to find anything on
    either Cisco or the news groups.

    I have a PIX 501 and a PIX 515 with a DES tunnel running between both
    and windows 2000 hosts at either side. The problem i am having is
    that when doing a DNS query accross the VPN tunnel to a DNS server on
    the remote site to look up the IP address of another server on the
    remote side the DNS reply is comming back with the Global IP address
    because there is also a Alias command for this server. Is there a way
    to stop the Alias command being perfromed on the VPN traffic as its
    private IP addresses at either end of the tunnel? I've found the
    command "sysopt ipsec pl-compatible" which i thought may do the trick
    but the PIX doing the ASA Alias command is the 501 and this command is
    not supported on this model. I cant see why you would want the Alias
    command to work on VPN traffic by default as most VPN are connecting
    private to private address spaces. Thank you very much in advance for
    any help.

    Kind Regards

    Stephen Evans
     
    Stephen Evans, Oct 29, 2003
    #1
    1. Advertisements

  2. :I have a PIX 501 and a PIX 515 with a DES tunnel running between both
    :and windows 2000 hosts at either side.

    You don't happen to mention the relevant PIX software versions?

    : The problem i am having is
    :that when doing a DNS query accross the VPN tunnel to a DNS server on
    :the remote site to look up the IP address of another server on the
    :remote side the DNS reply is comming back with the Global IP address
    :because there is also a Alias command for this server. Is there a way
    :to stop the Alias command being perfromed on the VPN traffic as its
    :private IP addresses at either end of the tunnel?

    sysopt nodnsalias inbound
    sysopt nodnsalias outbound
     
    Walter Roberson, Oct 29, 2003
    #2
    1. Advertisements

  3. Just as an update, it's seem Cisco have done it once again, the
    sysopt ipsec pl-compatible command does work even thought in cisco's
    docu say it does'nt on the pix 501.

    Stephen
     
    Stephen Evans, Oct 29, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.