cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1280
Views
0
Helpful
5
Replies

Reverse lookup is not working over L2L VPN tunnel.

forman102
Level 1
Level 1

Hello everyone:)

I have Cisco VPN 3000 in main office which provides VPN tunnel to the remote site (PIX 506). In main office we have Domain Controller as well as DNS/DHCP servers.I ran into the issue where DNS reverse lookups are not working from main office to the remote computers:

ping remotecomputer.mydomain.org - works fine from main office and resolves to appropriate IP address

ping -a IP address - from main office returns nothing.attdns.com

From the remote computers, both forward and reverse lookups are working fine.

I'm not sure how to approach this, any help would be appreciated.

thanks,

forman

5 Replies 5

Ven Taylor
Level 4
Level 4

Can you post your associated configs?  It sounds like you have a needed protocol blocked.

Ven

Ven Taylor

Here's remote PIX config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

domain-name mydomain.org

clock timezone EDT -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

no fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

<--- More --->

fixup protocol rtsp 554

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

access-list VPN permit ip 10.1.4.0 255.255.255.0 any

access-list LocalNet permit ip any any

pager lines 20

logging on

logging monitor debugging

logging buffered warnings

logging trap warnings

mtu outside 1500

mtu inside 1500

ip address outside 69.69.x.x 255.255.255.252

ip address inside 10.1.4.1 255.255.255.0

<--- More --->

ip audit name Outside_Attack attack action alarm drop reset

ip audit name Outside_Recon info action alarm drop reset

ip audit interface outside Outside_Recon

ip audit interface outside Outside_Attack

ip audit info action alarm

ip audit attack action alarm drop reset

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

ip audit signature 2150 disable

pdm location 128.1.x.x 255.255.0.0 inside

pdm location 208.23.x.x 255.255.255.0 inside

pdm location 208.23.x.x 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list LocalNet

route outside 0.0.0.0 0.0.0.0 69.69.x.x 1

<--- More --->

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server community mak6628-pub#

no snmp-server enable traps

tftp-server inside 130.1.4.178 /test.cfg

<--- More --->

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set AMC esp-3des esp-md5-hmac

crypto map Q 10 ipsec-isakmp

crypto map Q 10 match address VPN

crypto map Q 10 set peer 208.23.x.x

crypto map Q 10 set transform-set AMC

crypto map Q interface outside

isakmp enable outside

isakmp key ******** address 208.23.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

console timeout 0

terminal width 80

Main office VPN Concentrator has just basic VPN tunnel config...

You have the command "no fixup protocol dns".

Did you turn that off for a reason?

Ven

Ven Taylor

I've seen that...It's inherited configuration, the previous tech must have done it. I also looked at our DNS servers and found that reverse look up zone was not working properly for that remote subnet. I re-created it and now ping -a to remote site works fine, but for some reason the computers are not updating the pointers in that particular reverse lookup zone. Wondering if that actually have something to do with no fixup protocol dns...I will go ahead and re-enable it for testing.

I fixed that issue by re-creating DNS reverse lookup zones. Initially I thought the issue was with the VPN tunnel, but it is not. Thanks Ven fot taking time to answer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: