06-02-2010 01:33 PM - edited 02-21-2020 04:40 PM
Hello all. I have searched on this but I cannot find my answer.
I have set up a VPN connection to a PIX firewall (running version Version 8.0(4)) for my company. The VPN connection is working correctly, in that I can connect to it using my Cisco VPN Client software (v 5.0.02.0090) and ping internal servers/resources by IP Address. However, if I try to ping by hostname, it does not resolve to an IP Address. If I open a command prompt on my PC and type ipconfig /all, there are no DNS Servers for my VPN adapter, just for my normal Intel NIC- I think that I should have a DNS server listed under the VPN Adapter, right? Below are the relevant (I think) lines of config for the VPN:
PIX Version 8.0(4)
domain-name xx.xx
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.20.23
domain-name xx.xx
ip local pool vpnpoolIT 10.10.8.2-10.10.8.254 mask 255.255.255.0
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group ITGroup type remote-access
tunnel-group ITGroup general-attributes
address-pool vpnpoolIT
authentication-server-group RADIUS
tunnel-group ITGroup ipsec-attributes
pre-shared-key *
Is there anything that I am missing? I can resolve DNS queries on the PIX itself.
All the info I can find online is for an older version of PIX software that says that I should enter the command vpngroup dns-server IP Address, but this command is not available in my version of the software.
Solved! Go to Solution.
06-02-2010 01:39 PM
Hi,
To define a DNS server to be injected to the VPN clients when they connect, you can do the following:
This is the tunnel-group where the remote connection lands:
tunnel-group ITGroup type remote-access
tunnel-group ITGroup general-attributes
address-pool vpnpoolIT
authentication-server-group RADIUS
tunnel-group ITGroup ipsec-attributes
pre-shared-key *
So, create a group policy:
group-policy VPN internal
group-policy VPN attributes
dns value x.x.x.x --> x.x.x.x will be the IP of the DNS server
Then, apply the group-policy to the tunnel group:
tunnel-group ITGroup general-attributes
default-group-policy VPN
Hope it helps.
Federico.
06-02-2010 01:39 PM
Hi,
To define a DNS server to be injected to the VPN clients when they connect, you can do the following:
This is the tunnel-group where the remote connection lands:
tunnel-group ITGroup type remote-access
tunnel-group ITGroup general-attributes
address-pool vpnpoolIT
authentication-server-group RADIUS
tunnel-group ITGroup ipsec-attributes
pre-shared-key *
So, create a group policy:
group-policy VPN internal
group-policy VPN attributes
dns value x.x.x.x --> x.x.x.x will be the IP of the DNS server
Then, apply the group-policy to the tunnel group:
tunnel-group ITGroup general-attributes
default-group-policy VPN
Hope it helps.
Federico.
06-02-2010 01:46 PM
You rock, Federico. I swear, I'm going to name my first born after you.
Thanks for your quick reply and perfect answer.
06-02-2010 01:49 PM
Please don't do that... it's not your baby's fault :-)
Anyway, i'm very glad that it helped!
Federico.
06-02-2010 01:55 PM
Haha, thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide