Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS/WINS name translation over PIX 500 series firewall

Unanswered Question

I am having trouble using host names for Remote Desktop access over VPN tunnels using PIX 501, 506, and 515 firewalls. I have a WINS server loaded at each office, and I can use host names with the VPN client outside the networks, but not between locations.

How can I configure the PIX firewalls to allow DNS/WINS name translation for use with Remote Desktop from within the VPN tunnels?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
umedryk Wed, 10/12/2005 - 13:49
User Badges:
  • Bronze, 100 points or more

As far as I know, you cannot translate within the tunnels.

jackko Wed, 10/12/2005 - 17:35
User Badges:
  • Gold, 750 points or more

assuming you are referring to lan-lan vpn between those sites/devices as below:

net1 <--> pix501 <--> internet <--> pix515 <--> net2

with net1 pc, you can point to the dns server that is located in net2. the catch is that all dns will then be forwarded to net2 and consuming more bandwidth over the internet.

Thanks for the suggestion. However, I have a mesh of VPN tunnels between 9 different locations. Pointing to one remote DNS server would only help that one location. I was hoping for some kind of WINS query command that would translate hostnames off the local server to whichever location is trying to access it. As I said, the VPN client is able to allow host names to connect instead of IP addresses, why can't PIX to PIX tunnels?

jackko Wed, 10/12/2005 - 20:19
User Badges:
  • Gold, 750 points or more

the reason being by using a vpn client to establish the vpn, as the name suggested, it's a client/server model so the server can push the policy including the dns server; whereas with a pix-pix vpn, or i should say lan-lan vpn, it's more like to join two networks together.

providing you've a dns server for the remote vpn client to point to, you may configure the dhcp server on each site to point to the same dns server.

redray8 Wed, 10/12/2005 - 23:11
User Badges:

I am not sure if I understand your topology, if your PIX's are serving as both IPSec endpoints and client VPN (PPTP or otherwise), the client VPN cannot route properly to your remote IPSec endpoints because both tunnels are incoming at the outside interface.

But you mention a TS server. If you configure Push/Pull replication of the WINS servers across the IPSec tunnels, an inside (not client VPN) host should be able to be configured as h-mode NetBIOS client and query the local WINS server to resolve remote IPs. With push/pull replication though, you have to be careful about Master Browser elections and that you block Master Browser advertisements across the WAN/IPSec tunnels.


This Discussion