Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN and Split-DNS problem connecting 851 to 3030 Concentrator

I have configured a Cisco 851 (IOS 12.4(11)T) to connect to the Cisco 3000 Concentrator (v4.72G). I am having multiple problems:

1. On the concentrator I have specified multiple domain names for split DNS "hq.portablesunlimited.com,hq.cellfonestore.com". However I see only the first name created for the dns views.

2. We have a static WAN IP address with a fixed DNS Server name given by our ISP. I am using the same DNS name on the client PCs connected to the 851. I am able to resolve any external names for e.g. "www.google.com". When I try to resolve a DNS address (Split-DNS) for e.g. server.hq.portablesunlimited.com, it fails to resolve the address. I tried to specify the address of 815 (10.0.0.1) as the DNS server for the clients, in this case the clients do not resolve any address. However if I go to the 851 console and ping say "www.yahoo.com" it works and then I can resolve that address "www.yahoo.com" from the client PCs also.

I don't have any firewall or NAT enabled on the 851.

Here is the 851 config file:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname firewall

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 xxxxxxxxxxxx

!

no aaa new-model

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip dhcp use vrf connected

ip dhcp excluded-address 10.220.1.1 10.220.1.99

ip dhcp excluded-address 10.220.1.201 10.220.1.254

!

ip dhcp pool sdm-pool1

import all

network 10.220.1.0 255.255.255.0

dns-server 129.x.x.80

default-router 10.220.1.1

!

ip cef

ip domain name mydomain.com

ip name-server 129.x.x.80

!

crypto pki trustpoint TP-self-signed-3072999871

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3072999871

revocation-check none

rsakeypair TP-self-signed-3072999871

!

crypto ipsec client ezvpn VPN1

connect auto

group xyz key xyz

mode network-extension

peer x.x.x.x

username xyz password xyz

xauth userid mode local

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 129.34.x.x.255.255.240

duplex auto

speed auto

crypto ipsec client ezvpn VPN1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.220.1.1 255.255.255.0

ip tcp adjust-mss 1452

crypto ipsec client ezvpn VPN1 inside

!

ip route 0.0.0.0 0.0.x.x.34.7.82

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns view ezvpn-internal-view

domain name-server 10.128.1.10

ip dns view-list ezvpn-internal-viewlist

view ezvpn-internal-view 10

restrict name-group 1

view default 20

ip dns name-list 1 permit HQ.PORTABLESUNLIMITED.COM

ip dns server view-group ezvpn-internal-viewlist

!

no cdp run

!

end

1 REPLY
New Member

Re: VPN and Split-DNS problem connecting 851 to 3030 Concentrato

Someone please reply to the post as this issue is critical for us to decide the purchase of the above equipment for our 40 remote locations.

Thanks

Srikant

130
Views
0
Helpful
1
Replies
CreatePlease to create content