Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing DNS resolution through VPN

Hello All,

Good Day,

My issue is kinda simple in logic but it's a little bit hard in implementation.

My scenario as follows:

I've a Cisco PIX 525 and defined with 4 interfaces Inside,Outsie,VPN and DMZ. I located my web and mail servers in the DMZ subnet which is (10.111.0.0/24) and i located my VPN router in the VPN subnet which is (10.11.0.0/24). Also,i created many static routes for this VPN and all are successfull but i only will state just one route in the configuration to you and i can now ping the remote peers. In addition,i created a static nat for the servers to access the VPN subnet. Voila! the servers now can ping the remote peers too and remote desktop on specific remote hosts for management purposes. Here it comes the hard part that is my mail server also is a DNS server and i have both A host records created to point to both mail and web servers.

However the remote hosts can not resolve their names, they can only resolve their ip addresses. i am pretty sure that i created an access list that is applied on the VPN interface which permits UDP dns port. the following are in details configuration:

tic(config)#int eth2

tic(config-if)#description VPN router subnet

tic(config-if)#ip address 10.11.0.200 255.255.255.0 standby 10.11.0.201

tic(config-if)#nameif VPN

tic(config-if)#no shutdown

tic(config-if)#exit

tic(config)#int eth3

tic(config-if)#desc DMZ servers zone

tic(config-if)#nameif DMZ

tic(config-if)#ip address 10.111.0.200 255.255.255.0 standby 10.111.0.201

tic(config-if)#no shutdown

tic(config-if)#exit

tic(config)#route vpn 10.11.1.0 255.255.255.0 10.11.0.1

tic(config)#static (DMZ,VPN) 10.11.0.12 10.111.0.12 netmask 255.255.255.255 dns

tic(config)#static (DMZ,VPN) 10.11.0.13 10.111.0.13 netmask 255.255.255.0 dns

tic(config)#access-list vpn permit udp any host 10.11.0.12 eq domain

tic(config)#access-list vpn permit tcp any host 10.11.0.12 eq www

tic(config)#access-list vpn permit udp any host 10.11.0.13 eq domain

tic(config)#access-list vpn permit tcp any host 10.11.0.13 eq www

tic(config)#access-group vpn in interface VPN

Note: VPN router is 10.11.0.1

Mail server is 10.111.0.12

Web server is 10.111.0.13

Also note that the PIX firewall not the VPN peer but it's just locating the VPN router in one of its interfaces (eth2).

Please i wanna say a hint just for fun is to sit with yourself and relax by drawing a sketch for this scenario in a paper for more clearness.

I'll really appreciate any fast response from you.

Thx. Turbo

1 REPLY
Bronze

Re: Allowing DNS resolution through VPN

I think problem exists in access list creation which is not permitting the DNS resolution

252
Views
0
Helpful
1
Replies
CreatePlease to create content