×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS and RDP issues

Unanswered Question
Feb 20th, 2008
User Badges:

I have set-up a remote access vpn on a 5510 ASA for a customer and although they can connect and collect mail and see their mapped drives they do not get dns resolution from the internal servers and are not able to use RDP to access the internal servers. The ASA is running version 7.2. I have tried recreating this in a lab environment and get the same problem. I am new to the ASA and not sure if there may be something in the policy that blocks these services. I have tried upgrading the lab equipment to 8.03 but still have the same problem. If anyone has any advice it would be much appreciated as it looks like I have a few of these to install in the near future.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
husycisco Wed, 02/20/2008 - 07:14
User Badges:
  • Gold, 750 points or more

Hi Martin

Please attach your running config.


Regards

husycisco Fri, 02/22/2008 - 14:02
User Badges:
  • Gold, 750 points or more

Martin,

Is 10.190.50.1 a domain controller with DNS service installed?

What happens when you run nslookup in command line of client which is connected via VPN then type a hostname.domainname.suffix? Do you get response? Does nslookup point 10.190.50.1 as default server?

mannschaft Sun, 02/24/2008 - 13:42
User Badges:

Hi guys,


i experienced the same problem with DNS, but i resolve it now.


actualy i have a problem with RDP, when connected via VPN i can't run RDP to my local servers, i used the IP adress instead but didn't work too .


attached my running configuration on the ASA 5505.


Please debugg my config and send your help.


Thanks.



Attachment: 
husycisco Mon, 02/25/2008 - 00:04
User Badges:
  • Gold, 750 points or more

Hi Adil

Make the following change

access-list inside_nat0_outbound permit ip 192.168.2.0 255.255.255.0 192.168.2.224 255.255.255.224

no nat (inside) 0 192.168.2.2

nat (inside) 0 access-list inside_nat0_outbound


Regards

Please do not forget to rate the post if helpful

husycisco Mon, 02/25/2008 - 07:36
User Badges:
  • Gold, 750 points or more

Adil,

Why did you grade 2?

mannschaft Mon, 02/25/2008 - 09:38
User Badges:

Hi Husyine


i have tried the changes you gave me but nothing was changed. by theway whay did you put 192.168.2.224 ? this IP adresse is a part of VPN Pool.


for your information, when i do nslookup the host is resolved ! when i ping the IP adresse of the host no response. just the DNS and Inside interface can be pinged.


do you have any other suggestions ?


thanks & regards.

husycisco Thu, 02/28/2008 - 02:07
User Badges:
  • Gold, 750 points or more

Adil

Please rate posts if helpful. If it i not, go on collaboration till you resolve the issue.

Please post your current running config


Regards

husycisco Mon, 02/25/2008 - 01:37
User Badges:
  • Gold, 750 points or more

Martin,

Is 10.190.50.1 a domain controller with DNS service installed?

Can you connect to 10.190.50.1 via RDP ?

Can a local client located in inside interface with preferred DNS server of 10.190.50.1 can resolve the IP addresses in nslookup output you attached to names?


mbluemel Mon, 02/25/2008 - 01:46
User Badges:

Hi there. Yes 10.190.50.1 is a domain controller and runs the dns service. Clients inside the network can ping the server by name. I can connect to 10.190.50.1 by rdp.

husycisco Thu, 02/28/2008 - 02:05
User Badges:
  • Gold, 750 points or more

Martin,

Please download portqry.exe in VPN client,

http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/portqryui.exe


extract it, then run portqryui. In IP address section, type 10.190.50.1 , choose "Manually input query ports", choose UDP, and port 53. If query result returns correctly, then try issuing the following commands


policy-map global_policy

class inspection_default

no inspect dns preset_dns_map


If you cant get response, then add the following

sysopt connection permit-ipsec

If still no response, let me know.


Regards

Actions

This Discussion