Large number of DNS entries in syslogs from VPN users
wondering if anyone has run into this before on their PIX firewalls. Our VPN users use a windows 2000 VPN system. Our syslogs are overrun with errors similar to the following:
No translation group found for udp src dmz:10.1.3.6/2803 dst outside:184.108.40.206/53
In this case, 10.1.3.6 represents a VPN client and from these logs it appears they are trying to reach their ISP's DNS server. What seems to happen is that 10-14 of these errors wil appear in a 10-20 sec interval of time and then they will keep reoccurring every 5, 10, 20 mins.
Under the VPn profile, we can deselect the option of "use default gateway on remote network", which will force the VPN clients to send these DNS requests over their ISPs network. This is a band aid for the problem, because we are not getting to the root of the problem of where these DNS requests are coming from. Also, by deselecting this option, it can lead to potential security problems in itself.
Any idea what could be causing so many DNS requests from these clients?
Re: Large number of DNS entries in syslogs from VPN users
Are you assigning an internal DNS server to your VPN clients when they connect? Does the DNS server send any unresolvable lookups to an external DNS server capable of resolving the lookup? If not this would cause these log entries.
Sounds like your clients are trying to resolve host names and this isn't happening through the VPN configured DNS server (assuming there even is one.) The DNS request is then being passed to another configured DNS server (either a static entry on their IP stack or a dynamically assinged one from their ISP). And even though the configured DNS server is external it still gets passed to the default gateway which has become the VPN tunnel. The PIX gets this packet and wants to pass it outside but there is no translation allowing it. And, in fact, the PIX will not pass traffic recieved on an interface back out the same interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :