03-07-2012 11:26 AM
Hello everyone:)
I have Cisco VPN 3000 in main office which provides VPN tunnel to the remote site (PIX 506). In main office we have Domain Controller as well as DNS/DHCP servers.I ran into the issue where DNS reverse lookups are not working from main office to the remote computers:
ping remotecomputer.mydomain.org - works fine from main office and resolves to appropriate IP address
ping -a IP address - from main office returns nothing.attdns.com
From the remote computers, both forward and reverse lookups are working fine.
I'm not sure how to approach this, any help would be appreciated.
thanks,
forman
03-07-2012 11:36 AM
Can you post your associated configs? It sounds like you have a needed protocol blocked.
Ven
03-07-2012 12:02 PM
Here's remote PIX config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name mydomain.org
clock timezone EDT -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
<--- More --->
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list VPN permit ip 10.1.4.0 255.255.255.0 any
access-list LocalNet permit ip any any
pager lines 20
logging on
logging monitor debugging
logging buffered warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
ip address outside 69.69.x.x 255.255.255.252
ip address inside 10.1.4.1 255.255.255.0
<--- More --->
ip audit name Outside_Attack attack action alarm drop reset
ip audit name Outside_Recon info action alarm drop reset
ip audit interface outside Outside_Recon
ip audit interface outside Outside_Attack
ip audit info action alarm
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2150 disable
pdm location 128.1.x.x 255.255.0.0 inside
pdm location 208.23.x.x 255.255.255.0 inside
pdm location 208.23.x.x 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list LocalNet
route outside 0.0.0.0 0.0.0.0 69.69.x.x 1
<--- More --->
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community mak6628-pub#
no snmp-server enable traps
tftp-server inside 130.1.4.178 /test.cfg
<--- More --->
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AMC esp-3des esp-md5-hmac
crypto map Q 10 ipsec-isakmp
crypto map Q 10 match address VPN
crypto map Q 10 set peer 208.23.x.x
crypto map Q 10 set transform-set AMC
crypto map Q interface outside
isakmp enable outside
isakmp key ******** address 208.23.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
console timeout 0
terminal width 80
Main office VPN Concentrator has just basic VPN tunnel config...
03-08-2012 05:19 AM
You have the command "no fixup protocol dns".
Did you turn that off for a reason?
Ven
03-08-2012 05:26 AM
I've seen that...It's inherited configuration, the previous tech must have done it. I also looked at our DNS servers and found that reverse look up zone was not working properly for that remote subnet. I re-created it and now ping -a to remote site works fine, but for some reason the computers are not updating the pointers in that particular reverse lookup zone. Wondering if that actually have something to do with no fixup protocol dns...I will go ahead and re-enable it for testing.
03-08-2012 11:34 AM
I fixed that issue by re-creating DNS reverse lookup zones. Initially I thought the issue was with the VPN tunnel, but it is not. Thanks Ven fot taking time to answer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: