Remote access VPN Client to PIX, DNS Issue

Answered Question
Jun 2nd, 2010
User Badges:

Hello all.  I have searched on this but I cannot find my answer.

I have set up a VPN connection to a PIX firewall (running version Version 8.0(4)) for my company.  The VPN connection is working correctly, in that I can connect to it using my Cisco VPN Client software (v 5.0.02.0090) and ping internal servers/resources by IP Address. However, if I try to ping by hostname, it does not resolve to an IP Address.  If I open a command prompt on my PC and type ipconfig /all, there are no DNS Servers for my VPN adapter, just for my normal Intel NIC- I think that I should have a DNS server listed under the VPN Adapter, right?  Below are the relevant (I think) lines of config for the VPN:


PIX Version 8.0(4)

domain-name xx.xx

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.20.23

domain-name xx.xx

ip local pool vpnpoolIT 10.10.8.2-10.10.8.254 mask 255.255.255.0

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *

Is there anything that I am missing?  I can resolve DNS queries on the PIX itself.

All the info I can find online is for an older version of PIX software that says that I should enter the command vpngroup dns-server IP Address, but this command is not available in my version of the software.

Correct Answer by Federico Coto F... about 7 years 3 weeks ago

Hi,


To define a DNS server to be injected to the VPN clients when they connect, you can do the following:


This is the tunnel-group where the remote connection lands:


tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *


So, create a group policy:

group-policy VPN internal
group-policy VPN attributes

   dns value x.x.x.x   -->   x.x.x.x will be the IP of the DNS server


Then, apply the group-policy to the tunnel group:

tunnel-group ITGroup general-attributes

  default-group-policy VPN


Hope it helps.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Wed, 06/02/2010 - 13:39
User Badges:
  • Green, 3000 points or more

Hi,


To define a DNS server to be injected to the VPN clients when they connect, you can do the following:


This is the tunnel-group where the remote connection lands:


tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *


So, create a group policy:

group-policy VPN internal
group-policy VPN attributes

   dns value x.x.x.x   -->   x.x.x.x will be the IP of the DNS server


Then, apply the group-policy to the tunnel group:

tunnel-group ITGroup general-attributes

  default-group-policy VPN


Hope it helps.


Federico.

Scott Conklin Wed, 06/02/2010 - 13:46
User Badges:

You rock, Federico.  I swear, I'm going to name my first born after you.

Thanks for your quick reply and perfect answer.

Federico Coto F... Wed, 06/02/2010 - 13:49
User Badges:
  • Green, 3000 points or more

Please don't do that... it's not your baby's fault :-)


Anyway, i'm very glad that it helped!


Federico.

Actions

This Discussion