Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
4
Replies

Mode config & internal DNS (IOS)

roslerd
Level 1
Level 1

‎06-28-2001 06:17 AM - edited ‎03-08-2019 08:25 PM

Hello,

has anyone got IPSec + mode config with internally assigned addresses going and solved the problem with DNS, i.e. how is the DNS of the internal network conveyed to the client?

In a Cisco support document it says:

"Mode config can also forward WINS and DNS information to the client, although initially the internal IP addresses of those services must be statically configured on the client PC to ensure that clients can access any internal resources."

Is this feature supported yet (and with which IPSec client) and if not, can we expect it some time soon?

Regards

Dirk

PS: We are using a 2620 but I suppose the subject is also relevant to PIX.

Labels:
0 Helpful
4 Replies 4

mmellet
Level 3
Level 3

‎07-03-2001 11:42 AM

I’d suggest using an internal private WINS/DNS solution for your VPN clients.

Hope this helps!

0 Helpful

roslerd
Level 1
Level 1
In response to mmellet

‎07-04-2001 12:11 AM

Thanks, but could you elborate? What would such a solution look like?

Cheers

Dirk

0 Helpful

mmellet
Level 3
Level 3
In response to roslerd

‎07-06-2001 04:06 PM

If you setup a WINS & DNS on your internal network that resolves your internal clients, it needs to be a private zone that doesn’t replicate with your public DNS. Then have your internal DNS grab external addresses when requested. Those internal WINS & DNS Servers are what you should configure for your VPN clients and your local hosts (via DHCP or whatever. Our domain administrator is a consultant and set this up for us but that’s my understanding of how it works. I would think Cisco can help you with the Router or PIX and client configs.

0 Helpful

roslerd
Level 1
Level 1
In response to mmellet

‎07-09-2001 01:56 AM

Thank you for replying. My original question was actually about configuring the clients (or the router), not the name servers. I suppose in most VPN scenarios people will use their existing name server setup.

As you say we have to configure the clients somehow ("via DHCP or whatever") but this is what Cisco mode config is designed for, but in my opinion it cannot do much more than assigning internal IPs, and not DNS/WINS.

Interestingly the IETF has turned down mode config (aka IKECFG) as a proposed standard and will concentrate on integrating DHCP. The bad news is that we'll have to wait for vendors to change their clients, the good news is that a standard is on the way which doesn't require much change in infrastructure etc.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt

Dirk

0 Helpful
Customers Also Viewed These Support Documents