10-06-2005 07:16 AM - edited 02-21-2020 12:26 AM
I am having trouble using host names for Remote Desktop access over VPN tunnels using PIX 501, 506, and 515 firewalls. I have a WINS server loaded at each office, and I can use host names with the VPN client outside the networks, but not between locations.
How can I configure the PIX firewalls to allow DNS/WINS name translation for use with Remote Desktop from within the VPN tunnels?
10-12-2005 01:49 PM
As far as I know, you cannot translate within the tunnels.
10-12-2005 05:35 PM
assuming you are referring to lan-lan vpn between those sites/devices as below:
net1 <--> pix501 <--> internet <--> pix515 <--> net2
with net1 pc, you can point to the dns server that is located in net2. the catch is that all dns will then be forwarded to net2 and consuming more bandwidth over the internet.
10-12-2005 07:50 PM
Thanks for the suggestion. However, I have a mesh of VPN tunnels between 9 different locations. Pointing to one remote DNS server would only help that one location. I was hoping for some kind of WINS query command that would translate hostnames off the local server to whichever location is trying to access it. As I said, the VPN client is able to allow host names to connect instead of IP addresses, why can't PIX to PIX tunnels?
10-12-2005 08:19 PM
the reason being by using a vpn client to establish the vpn, as the name suggested, it's a client/server model so the server can push the policy including the dns server; whereas with a pix-pix vpn, or i should say lan-lan vpn, it's more like to join two networks together.
providing you've a dns server for the remote vpn client to point to, you may configure the dhcp server on each site to point to the same dns server.
10-12-2005 11:11 PM
I am not sure if I understand your topology, if your PIX's are serving as both IPSec endpoints and client VPN (PPTP or otherwise), the client VPN cannot route properly to your remote IPSec endpoints because both tunnels are incoming at the outside interface.
But you mention a TS server. If you configure Push/Pull replication of the WINS servers across the IPSec tunnels, an inside (not client VPN) host should be able to be configured as h-mode NetBIOS client and query the local WINS server to resolve remote IPs. With push/pull replication though, you have to be careful about Master Browser elections and that you block Master Browser advertisements across the WAN/IPSec tunnels.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide