Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[Lan to Lan] Access from remote ASA to central DNS

Hi,

I configured a Lan to lan VPN between our main office (10.0.0.0/8) and a remote site (192.168.1.0/24)

Lan2Lan_DNS.jpg

It works fine ! Computer on remote site can contact servers on main office.

My only problem is when ASA2 want to use DNS server on main office.

It uses IP outside2 to contact the DNS Server so it doesn't pass through VPN.

What is the best way to force ASA2 to contact DNS server through VPN?

Thanks for your help,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

No unfortunately ASA cannot decide what is the interface to use as the source for DNS queries.

If you can put a permenant route for the ASA2 outside IP address on the DNS server so you can route the DNS response back to the ASA1

Tariq

10 REPLIES
New Member

[Lan to Lan] Access from remote ASA to central DNS

Please provide the configuration of ASA2 so i can provide you will the needed commands to do that.

it is done under the the group policy of this VPN tunnel

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

Configuration below :)

Result of the command: "show run"

: Saved
:
ASA Version 9.1(2)
!
hostname AEG-Etude-1
domain-name CentralOffice.fr
enable password hsn/TLPoVX14M341 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description Interface internet a
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Interface intranet ABC RemoteOffice
nameif inside
security-level 100
ip address 192.168.201.33 255.255.255.224 standby 192.168.201.34
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.148.105.131 255.255.252.0 standby 10.148.105.132
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.151.156.82
name-server 10.151.156.83
name-server 8.8.8.8
name-server 8.8.4.4
domain-name CentralOffice.fr
same-security-traffic permit intra-interface

object network NXxXxxP_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
description Reseau bureautique CentralOffice

object network NLmSasP_RemoteOffice_Rabat
subnet 192.168.201.32 255.255.255.224
description Reseau local RemoteOffice
object network NETWORK_OBJ_192.168.201.32_27
subnet 192.168.201.32 255.255.255.224
object network NToVpnI_Checkpoint
subnet 192.168.2.0 255.255.255.0
object-group network G_NXxXxxP_CentralOffice
description Groupe reseau CentralOffice
network-object object NXxXxxP_10.0.0.0_8
access-list outside_cryptomap extended permit ip object NLmSasP_RemoteOffice_Rabat object-group G_NXxXxxP_CentralOffice
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/4
failover key *****
failover link failover GigabitEthernet0/4
failover interface ip failover 172.16.0.1 255.255.255.252 standby 172.16.0.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NLmSasP_RemoteOffice_Rabat NLmSasP_RemoteOffice_Rabat destination static G_NXxXxxP_CentralOffice G_NXxXxxP_CentralOffice no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.201.32_27 NETWORK_OBJ_192.168.201.32_27 destination static NToVpnI_Checkpoint NToVpnI_Checkpoint no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route management 10.148.188.0 255.255.252.0 10.148.104.1 1
route management 10.150.24.0 255.255.255.0 10.148.104.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Test_TACACS protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server Test_TACACS (inside) host 10.148.109.2
key *****
user-identity default-domain LOCAL
aaa authentication http console Test_TACACS LOCAL
aaa authentication enable console Test_TACACS LOCAL
aaa authentication ssh console Test_TACACS LOCAL
http server enable
http 10.148.104.0 255.255.252.0 management

snmp-server group Authentication&Encryption v3 priv
snmp-server user admin Authentication&Encryption v3 encrypted auth sha 71:25:eb:9d:32:bd:c5:17:a5:b4:63:f9:35:71:83:cb:4e:cc:37:e8 priv aes 128 93:d3:5b:3f:38:22:c2:be:cd:a0:f4:10:94:14:6c:39
snmp-server host management 10.150.24.24 version 3 admin
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps ipsec start stop
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set trustpoint ASA_Identity
crypto map outside_map interface outside
crypto ca trustpoint ASA_Identity
enrollment terminal
fqdn vpn-site-etu.CentralOffice.com
email assistance@CentralOffice.fr
subject-name CN=vpn-site.CentralOffice.com
ip-address 1.1.1.1
crl configure
crypto ca trustpoint AC_Racine_CentralOffice
enrollment terminal
crl configure
crypto ca trustpoint AC_Infrastructure_CentralOffice
revocation-check crl
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.201.40-192.168.201.62 inside
dhcpd dns 10.151.156.82 10.151.156.83 interface inside
dhcpd lease 86400 interface inside
dhcpd domain ad.CentralOffice.fr interface inside
dhcpd option 3 ip 192.168.201.33 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.150.25.24 source outside
ntp server 134.214.100.6 source outside
ntp server 10.151.156.87 source outside prefer
webvpn
anyconnect-essentials
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev2
username admin password /5ZSwKZtdTMHVSbT encrypted privilege 15
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 trust-point ASA_Identity
ikev2 remote-authentication certificate
ikev2 local-authentication certificate ASA_Identity
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f7f63832ba745ebe482989ce434ce737
: end

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

Hello Patrick,

Please apply the following config:

group-policy GroupPolicy_2.2.2.2 attributes

     dns-server value

please let me know the results.

regards,

Tariq

New Member

[Lan to Lan] Access from remote ASA to central DNS

Hi Tariq,

Thx for your quick answer.

I tried your config but I got same behaviour...

ASA2 tried to contact DNS server with its outside IP so it doesn't pass through VPN...

Patrick

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

Isnt that you need the DNS server for the ASA2 inside subnet to resolve names ?

or you need it to the ASA itself to resolve names ?

New Member

[Lan to Lan] Access from remote ASA to central DNS

For remote site's clients, DNS queries works fine and already use L2L VPN

I need it to the ASA itself.

I want to configure CentralOffice servers with their FQDN.

Patrick

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

ok so in that case we need to include it in the crypto access list to include it in the traffic through the VPN.

on this ASA:

access-list outside_cryptomap permit ip host 1.1.1.1 host

on the other ASA:

make exactly the reversed entry.

access-list permit ip host host 1.1.1.1

that should work.

Please let me know the results.

Tariq

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

It doesn't work in my case but I think that it should work if ASA 1 is the default gateway of main office...

Outside IP is still used but flow between Outside IP and DNS Server is now tunneled.

DNS server receive DNS query from outside IP.

DNS response is routed to the gateway but ASA1 is not the default gateway so packet is lost on Internet

When I configure an LDAP server, I can choose interface. LDAP server is on main office.

If I choose outside, I get same issue.

If I choose inside, ASA contact LDAP server with his inside IP so it is routed is L2L VPN.

Can we get a similar feature for DNS?

Patrick

New Member

Re: [Lan to Lan] Access from remote ASA to central DNS

No unfortunately ASA cannot decide what is the interface to use as the source for DNS queries.

If you can put a permenant route for the ASA2 outside IP address on the DNS server so you can route the DNS response back to the ASA1

Tariq

New Member

[Lan to Lan] Access from remote ASA to central DNS

It will be difficult in my environment. There are lots of routers and I dont want to add specific routes for that need

I appreciate your help and vote your answer as good answer even if my problem is here!

I hope that future versions will give us a choice of interface for DNS queries

Thanks again,

Patrick

609
Views
4
Helpful
10
Replies