Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mode config & internal DNS (IOS)

Hello,

has anyone got IPSec + mode config with internally assigned addresses going and solved the problem with DNS, i.e. how is the DNS of the internal network conveyed to the client?

In a Cisco support document it says:

"Mode config can also forward WINS and DNS information to the client, although initially the internal IP addresses of those services must be statically configured on the client PC to ensure that clients can access any internal resources."

Is this feature supported yet (and with which IPSec client) and if not, can we expect it some time soon?

Regards

Dirk

PS: We are using a 2620 but I suppose the subject is also relevant to PIX.

4 REPLIES
New Member

Re: Mode config & internal DNS (IOS)

I’d suggest using an internal private WINS/DNS solution for your VPN clients.

Hope this helps!

New Member

Re: Mode config & internal DNS (IOS)

Thanks, but could you elborate? What would such a solution look like?

Cheers

Dirk

New Member

Re: Mode config & internal DNS (IOS)

If you setup a WINS & DNS on your internal network that resolves your internal clients, it needs to be a private zone that doesn’t replicate with your public DNS. Then have your internal DNS grab external addresses when requested. Those internal WINS & DNS Servers are what you should configure for your VPN clients and your local hosts (via DHCP or whatever. Our domain administrator is a consultant and set this up for us but that’s my understanding of how it works. I would think Cisco can help you with the Router or PIX and client configs.

New Member

Re: Mode config & internal DNS (IOS)

Thank you for replying. My original question was actually about configuring the clients (or the router), not the name servers. I suppose in most VPN scenarios people will use their existing name server setup.

As you say we have to configure the clients somehow ("via DHCP or whatever") but this is what Cisco mode config is designed for, but in my opinion it cannot do much more than assigning internal IPs, and not DNS/WINS.

Interestingly the IETF has turned down mode config (aka IKECFG) as a proposed standard and will concentrate on integrating DHCP. The bad news is that we'll have to wait for vendors to change their clients, the good news is that a standard is on the way which doesn't require much change in infrastructure etc.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt

Dirk

128
Views
0
Helpful
4
Replies
CreatePlease login to create content