Solved: Remote access VPN Client to PIX, DNS Issue

Scott Conklin · ‎06-02-2010

Hello all. I have searched on this but I cannot find my answer.

I have set up a VPN connection to a PIX firewall (running version Version 8.0(4)) for my company. The VPN connection is working correctly, in that I can connect to it using my Cisco VPN Client software (v 5.0.02.0090) and ping internal servers/resources by IP Address. However, if I try to ping by hostname, it does not resolve to an IP Address. If I open a command prompt on my PC and type ipconfig /all, there are no DNS Servers for my VPN adapter, just for my normal Intel NIC- I think that I should have a DNS server listed under the VPN Adapter, right? Below are the relevant (I think) lines of config for the VPN:

PIX Version 8.0(4)

domain-name xx.xx

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.20.23

domain-name xx.xx

ip local pool vpnpoolIT 10.10.8.2-10.10.8.254 mask 255.255.255.0

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *

Is there anything that I am missing? I can resolve DNS queries on the PIX itself.

All the info I can find online is for an older version of PIX software that says that I should enter the command vpngroup dns-server IP Address, but this command is not available in my version of the software.

Federico Coto Fajardo · ‎06-02-2010

Hi,

To define a DNS server to be injected to the VPN clients when they connect, you can do the following:

This is the tunnel-group where the remote connection lands:

tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *

So, create a group policy:

group-policy VPN internal
group-policy VPN attributes

dns value x.x.x.x --> x.x.x.x will be the IP of the DNS server

Then, apply the group-policy to the tunnel group:

tunnel-group ITGroup general-attributes

default-group-policy VPN

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-02-2010

Hi,

To define a DNS server to be injected to the VPN clients when they connect, you can do the following:

This is the tunnel-group where the remote connection lands:

tunnel-group ITGroup type remote-access

tunnel-group ITGroup general-attributes

address-pool vpnpoolIT

authentication-server-group RADIUS

tunnel-group ITGroup ipsec-attributes

pre-shared-key *

So, create a group policy:

group-policy VPN internal
group-policy VPN attributes

dns value x.x.x.x --> x.x.x.x will be the IP of the DNS server

Then, apply the group-policy to the tunnel group:

tunnel-group ITGroup general-attributes

default-group-policy VPN

Hope it helps.

Federico.

Scott Conklin · ‎06-02-2010

You rock, Federico. I swear, I'm going to name my first born after you.

Thanks for your quick reply and perfect answer.

Federico Coto Fajardo · ‎06-02-2010

Please don't do that... it's not your baby's fault :-)

Anyway, i'm very glad that it helped!

Federico.

Scott Conklin · ‎06-02-2010

Haha, thanks again!