08-30-2010 11:29 AM
08-30-2010 01:37 PM
As you already did, make sure that the assigned VPN IP address does not fall within the same subnet as the assigned physical adapter by the ISP.
Then try to flush your DNS cache on the host: if it is Windows it would be 'ipconfig /flushdns' A reboot of the PC may also be advised, to confirm the issue persists.
If that does not work post the 'ipconfig /a//' output after the user connected with his VPN.
Regards,
Uwe
08-30-2010 02:07 PM
Hello there, thank you very much for your reply, I really appreciate this.
The VPN clients are getting their IP address from 192.168.30.x subnet which is provided by our Windows Server.
The problem is the vpn clients have the following private ip address they get from their home router of 192.168.1.x registers to our DNS server, which cause duplicate A records pointing to the same IP address.
One solution I've thought of is throwing all VPN users computer account into an OU and applying a GPO that restricts them from updating to the DNS server, but the problem with this, is it ultimately prohibits them from registering their hostname inti the DNS, and will result in manually updating their records.
I have attached a screenshot, of ipconfig /all for one of the vpn client.
Is there anyway I can apply a "rule" to VPN clients from ever updating to the DNS server? I can do this with GPO, but not sure if I can do it with Cisco VPN 3000.
Thank You!!!
08-30-2010 02:40 PM
I think what they are suggesting as a workaround would be to redefine the address
range you assign to VPN clients as a workaround. Some obsure class C subnet
of 10.x.x.x might work; something that nobody is likely to pick for their home
configuration.
Than make sure the DHCP server rejects dyndns requests for the common
home network ranges, which it may do automatically.
Not elegant, I'd agree. I'd suggest a filter list, which might be possible
if the clients send unicast packets after the initial allocation and none of them
are needed for anything you do there.
08-31-2010 09:43 AM
Thank you for the reply, I went ahead and disable dynamic update on DNS after deleting duplicate entries, but again VPN client started registering their hostname A record into the corporate/internal DNS server, it is more likely that the DDNS feature only works for newly assigned IP address in the DHCP.
In the case of the VPN clients their home router assigns their IP Address, and the network treats it locally, I've attached a screenshot.
You mentioned something about a filtering UDP packets, do you have a link or instructions on how to accomplish this?
I have also thought about creating a query base WMI GPO.
Thank you!
08-31-2010 10:31 AM
You can either specify a default filter ruleset, or specify multiple rulesets and have AAA pick one by name, or (not sure on vpn3000) specify the filter rules on the RADIUS side using a custom text string attribute.
It is a straightforward per-client inbound access list at the tunnel end. Remember to permit initial DHCP broadcast traffic for split-tunnel route downloads via DHCP-intercept if you are using them, then deny followup unicasts to kill the DDNS, assuming that the clients use unicast (never had to do dyndns so I don't know.)
Minus some details:
access-list default-filter remark Allow DHCP-intercept route downloads
access-list default-filter permit ip object-group default-vpn-pool eq bootpc host 255.255.255.255 eq bootps
access-list default-filter deny ip object-group default-vpn-pool object-group dyndns
access-list default-filter permit ip object-group default-vpn-pool object-group default-vpn-allowed-destinations
access-list default-filter deny ip any any
Then:
group-policy DfltGrpPolicy attributes
vpn-filter value default-filter
08-31-2010 11:40 AM
Thank you very much Julian, this is more likely the solution that I've been looking for, althought the problem I have is that I am not aware how to create rules on VPN 3000, this concentrator is connected to a CISCO firewall, so I also might consider putting this rules in there, or wait until we cut--over to our ASA.
In the meanwhile I created a filter based GPO targeting those computer accounts registering to the DNS server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide