02-17-2009 02:08 PM - edited 03-06-2019 04:05 AM
Hi,
It's my 1st post so here goes.
I am trying to setup a Cisco 877 router as a DNS Server. The same router has a Site to Site Tunnel setup and working between it and our main office located behind a Cisco PIX 515E.
877 (192.168.104.x) -> PIX (192.168.1.x)
I have enabled
IP DNS Server
IP name-server 192.168.1.242 192.168.1.245
Basically assigning my private DNS servers way does not work. I can ping the private DNS Servers from any PC at either end of the tunnel (192.168.104.x & 192.168.1.x). However I cannot ping the Private DNS Server IP addresses or anything at 192.168.1.x from IOS at the remote side.
Cut a long story short, there is a perfectly good reason I am trying to use my private DNS Servers as Name servers, but I cannot figure out why I cannot ping the devices or anything else at the end of the tunnel from the router itself.
Is it because the traffic is originating from the Dialer interface, and not VLAN1?
I have attached a sample copy of my config, hopefully somebody can advise where I'm going wrong!
Many Thanks,
Kevin
02-17-2009 02:28 PM
Kevin
Yes it would be because the ping traffic has a source address of the router interface. The access list 102 which identifies traffic to go through the VPN tunnel specifies only traffic from the LAN addresses. One solution might be to use extended ping in which you can specify the ping source address as the LAN interface. The other solution would be to add permits into access list 102 for ping sourced from the router interface to the servers addresses.
HTH
Rick
02-17-2009 02:49 PM
Hi Rick,
Thanks for the quick answer.
I added the following
access-list 102 permit ip any 192.168.1.0 0.0.0.255
Which unfortunately pulled the whole tunnel, so I guess I misunderstood your instructions!
Where did I go wrong?
Thanks,
Kevin
02-17-2009 03:05 PM
Kevin
Using the keyword any in an access list to identify VPN traffic is dangerous (as you discovered the hard way). My suggestion would be to remove the line you added that permited any source and replace it with a line that permits the source being the outside interface of the router and the destination being the remote subnet.
HTH
Rick
02-17-2009 03:17 PM
Rick,
Do you have an example of the command/type of access list I could use? I thought using an extended access list it is only possible to specify source as any/host/x.x.x.x, and not by interface?
Sorry I'm still finding my way with IOS.
02-17-2009 08:16 PM
Kevin
It is somewhat more complicated since the dialer interface learns its address dynamically. If it were a fixed address it would be simply:
access-list 102 permit ip host
but since it learns its address dynamically it might look something like this:
access-list 102 permit ip
This should work, but given the additional complexity of doing it this way, I wonder how important it is to ping from the router rather than from an inside host, or whether an extended ping specifying the source address as the address of vlan 1 would be good enough.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: