Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN problem with DNS Server at central site

Hi,

I have this new trouble, Inside the central site I access at the DNS Server and It resolve the names, but when I connect with VPN, I almost see the DNS Server but it cant resolve names, what am I doing wrong ?

Everyone's tags (5)
11 REPLIES
Super Bronze

VPN problem with DNS Server at central site

Have you got your internal DNS server configured under the vpn policy? Are you trying to resolve hostname or FQDN?

New Member

VPN problem with DNS Server at central site

Hi Jennifer, thanks for giving me Response, My DNS Server can resolve names of applications, so as an example if I ping from de Inside to some of my applications, the ping is done, but If Im in the outside using a VPN, I ping to those applications and the Ping Fails, I almost have to say that if I ping the DNS Server as Its IP address, the ping almost is DONE from the inside and form the Outside, Thanks

Super Bronze

VPN problem with DNS Server at central site

Ping fails, but does it resolve the name? or ping fails but it resolves the name OK?

New Member

VPN problem with DNS Server at central site

ping to the application fails and it does not resolve the name from outside, from inside everything is ok

New Member

VPN problem with DNS Server at central site

ping to the DNS Server its ok but dont resolve names

Super Bronze

VPN problem with DNS Server at central site

do you have your dns server configured under the vpn policy? and also do you have default domain configured so it appends the hostname to FQDN.

Do you mind sharing your config.

New Member

VPN problem with DNS Server at central site

HI, my dns server is 10.10.11.254, and you you have the config:

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXXXXX

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$k19c$8slcyILLUgQ5Pk9tFDaVE.

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone mexico -6

!

no ipv6 cef

ip source-route

ip cef

!

!

ip dhcp excluded-address 10.10.11.1 10.10.11.99

ip dhcp excluded-address 10.10.11.199 10.10.11.254

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.199 192.168.1.254

ip dhcp excluded-address 10.10.21.1 10.10.21.99

ip dhcp excluded-address 10.10.21.199 10.10.21.254

ip dhcp excluded-address 10.10.11.190 10.10.11.199

!

ip dhcp pool LAN

   network 10.10.11.0 255.255.255.0

   default-router 10.10.11.1

   dns-server 10.10.11.254

   lease 8

!

ip dhcp pool Guest

   network 10.10.21.0 255.255.255.0

   default-router 10.10.21.1

   dns-server 200.23.242.193 148.233.151.8

!

ip dhcp pool IT

   host 10.10.11.80 255.255.255.0

   client-identifier 015c.ac4c.b64b.0d

   client-name IT

!

ip dhcp pool ex3

   host 10.10.11.83 255.255.255.0

   client-identifier 0134.51c9.6306.f6

!

ip dhcp pool ex4

   host 10.10.11.84 255.255.255.0

   client-identifier 01c8.bcc8.25d9.13

!

ip dhcp pool ex5

   host 10.10.11.85 255.255.255.0

   client-identifier 01d8.a25e.6844.a1

!

ip dhcp pool ex6

   host 10.10.11.86 255.255.255.0

   client-identifier 01e8.3eb6.ff47.19

!

ip dhcp pool Test

   host 10.10.11.20 255.255.255.0

   client-identifier 0100.0c29.6c05.85

!

ip dhcp pool JL

   host 10.10.11.82 255.255.255.0

   client-identifier 0100.270e.2ed9.34

   client-name JL

!

ip dhcp pool ex10

   host 10.10.11.87 255.255.255.0

   client-identifier 01e0.2a82.aa58.a9

!

ip dhcp pool Mkt

   host 10.10.11.81 255.255.255.0

   client-identifier 01c4.4619.53fb.25

!

ip dhcp pool Prueba

   host 10.10.11.50 255.255.255.0

   client-identifier 0100.2682.b2de.f9

!

ip dhcp pool MBAL

   host 10.10.11.88 255.255.255.0

   client-identifier 0100.1d4f.fa2c.fd

!

ip dhcp pool IML

   host 10.10.11.89 255.255.255.0

   client-identifier 01b8.8d12.0064.b6

!

ip dhcp pool Hernan

   host 10.10.11.78 255.255.255.0

   client-identifier 01f0.4da2.7f83.fe

!

ip dhcp pool Edgar

   host 10.10.11.75 255.255.255.0

   client-identifier 011c.c1de.fbb6.51

!

ip dhcp pool Graciela

   host 10.10.11.72 255.255.255.0

   client-identifier 0100.2312.027b.ee

!

ip dhcp pool Griselda

   host 10.10.11.79 255.255.255.0

   client-identifier 01f0.b479.1500.b3

!

ip dhcp pool Tanis

   host 10.10.11.69 255.255.255.0

   client-identifier 0178.ca39.b30f.72

!

!

ip domain name XXXXXXXX

ip host trps.trendmicro.com 150.70.74.51 216.104.8.100

ip name-server 10.10.11.254

ip name-server 200.23.242.193

ip name-server 148.233.151.8

ip port-map smtp port tcp 25 list 1 description exch

ip inspect tcp reassembly queue length 32

ip inspect tcp reassembly timeout 30

ip inspect tcp reassembly memory limit 2048

ip urlfilter max-resp-pak 2000

!

multilink bundle-name authenticated

!

parameter-map type urlfpolicy local local-parameters

allow-mode on

block-page message "Pagina bloqueada por contenido inadecuado"

parameter-map type urlfpolicy trend dynamic-parameters

allow-mode on

block-page message "The website you have accessed is blocked as per corporate policy"

parameter-map type urlf-glob url-blacklist

pattern *.meebo.com

pattern *.mediafire.com

pattern *.filesonic.com

pattern *.rapidshare.com

pattern *.depositfiles.com

pattern *.wupload.com

pattern *.wupload.mx

pattern *.babosas.com

pattern *.megavideo.com

pattern megavideo.com

pattern megaupload.com

pattern *.megaupload.com

pattern filesonic.com

pattern filesonic.mx

pattern rapidshare.com

pattern depositfiles.com

parameter-map type urlf-glob keyword-blacklist

pattern hack

pattern porn

pattern xxx

pattern facebook.com

parameter-map type urlf-glob url-whitelist

pattern www.cisco.com

pattern www.travelocity.com

pattern www.travelocity.com.mx

pattern www.despegar.com.mx

pattern www.google.com

pattern www.speedtest.net

pattern www.idconline.com.mx

pattern www.banorte.com

pattern www.banorte.com.mx

pattern www.banxico.org.mx

pattern www.bancoazteca.com.mx

pattern www.bancoinbursa.com

pattern www.hsbc.com.mx

pattern www.santander.com.mx

pattern www.banamex.com

pattern www.live.com

pattern www.hotmail.com

pattern www.gmail.com

pattern www.prodigy.msn.com

pattern www.login.live.com

pattern www.go.travelpn.com

pattern www.repuve.gob.mx

pattern www.guitarcenter.com

pattern www.store.guitarcenter.com

pattern www.officedepot.com.mx

pattern store.officedepot.com.mx

pattern www.occ.com.mx

pattern www.aeromexico.com

pattern recluta10.occ.com.mx

pattern www.ticketmaster.com.mx

pattern ticketmaster.com.mx

pattern media.ticketmaster.com

pattern www.grupoemporium.mx

pattern portal.infonavit.org.mx

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type ooo global

parameter-map type trend-global global-param-map

server trps.trendmicro.com retrans 5 timeout 120

cache-size maximum-memory 7000

!

!

crypto pki trustpoint Equifax_Secure_CA

revocation-check none

!

crypto pki trustpoint NetworkSolutions_CA

revocation-check none

!

crypto pki trustpoint trps1_server

revocation-check none

!

crypto pki trustpoint TP-self-signed-1692929506

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1692929506

revocation-check none

rsakeypair TP-self-signed-1692929506

!

!

crypto pki certificate chain Equifax_Secure_CA

certificate ca 35DEF4CF

  30820320 30820289 A0030201 02020435 DEF4CF30 0D06092A 864886F7 0D010105

  0500304E 310B3009 06035504 06130255 53311030 0E060355 040A1307 45717569

  66617831 2D302B06 0355040B 13244571 75696661 78205365 63757265 20436572

  74696669 63617465 20417574 686F7269 7479301E 170D3938 30383232 31363431

  35315A17 0D313830 38323231 36343135 315A304E 310B3009 06035504 06130255

  53311030 0E060355 040A1307 45717569 66617831 2D302B06 0355040B 13244571

  75696661 78205365 63757265 20436572 74696669 63617465 20417574 686F7269

  74793081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100C1

  5DB15867 0862EEA0 9A2D1F08 6D911468 980A1EFE DA046F13 846221C3 D17CCE9F

  05E0B801 F04E34EC E28A9504 64ACF16B 535F05B3 CB6780BF 42028EFE DD0109EC

  E100144F FCFBF00C DD43BA5B 2BE11F80 70991557 9316F10F 976AB7C2 68231CCC

  4D5930AC 511E3BAF 2BD6EE63 457BC5D9 5F50D2E3 500F3A88 E7BF14FD E0C7B902

  03010001 A3820109 30820105 30700603 551D1F04 69306730 65A063A0 61A45F30

  5D310B30 09060355 04061302 55533110 300E0603 55040A13 07457175 69666178

  312D302B 06035504 0B132445 71756966 61782053 65637572 65204365 72746966

  69636174 65204175 74686F72 69747931 0D300B06 03550403 13044352 4C31301A

  0603551D 10041330 11810F32 30313830 38323231 36343135 315A300B 0603551D

  0F040403 02010630 1F060355 1D230418 30168014 48E668F9 2BD2B295 D747D823

  20104F33 98909FD4 301D0603 551D0E04 16041448 E668F92B D2B295D7 47D82320

  104F3398 909FD430 0C060355 1D130405 30030101 FF301A06 092A8648 86F67D07

  4100040D 300B1B05 56332E30 63030206 C0300D06 092A8648 86F70D01 01050500

  03818100 58CE29EA FCF7DEB5 CE02B917 B585D1B9 E3E095CC 25310D00 A6926E7F

  B692639E 5095D19A 6FE411DE 63856E98 EEA8FF5A C8D355B2 667157DE C021EB3D

  2AA72349 01048642 7BFCEE7F A21652B5 6767D340 DB3B2658 B228773D AE147761

  D6FA2A66 27A00DFA A7735CEA 70F19421 65445FFA FCEF2968 A9A28779 EF79EF4F AC077738

      quit

crypto pki certificate chain NetworkSolutions_CA

certificate ca 10E776E8A65A6E377E050306D43C25EA

  308204A6 3082038E A0030201 02021010 E776E8A6 5A6E377E 050306D4 3C25EA30

  0D06092A 864886F7 0D010105 05003081 97310B30 09060355 04061302 5553310B

  30090603 55040813 02555431 17301506 03550407 130E5361 6C74204C 616B6520

  43697479 311E301C 06035504 0A131554 68652055 53455254 52555354 204E6574

  776F726B 3121301F 06035504 0B131868 7474703A 2F2F7777 772E7573 65727472

  7573742E 636F6D31 1F301D06 03550403 13165554 4E2D5553 45524669 7273742D

  48617264 77617265 301E170D 30363034 31303030 30303030 5A170D32 30303533

  30313034 3833385A 3062310B 30090603 55040613 02555331 21301F06 0355040A

  13184E65 74776F72 6B20536F 6C757469 6F6E7320 4C2E4C2E 432E3130 302E0603

  55040313 274E6574 776F726B 20536F6C 7574696F 6E732043 65727469 66696361

  74652041 7574686F 72697479 30820122 300D0609 2A864886 F70D0101 01050003

  82010F00 3082010A 02820101 00C3DD36 CC83C318 55B096D9 1325D326 864838BB

  167FF19F 29F6FD03 F1ED4D26 9A56F0B5 1A1ACDE6 CC855540 A4B5D00D CA22EF3D

  23C67E6C CCBCA1E9 7C5046E0 BD14AD65 12C20B11 69520A07 921F736F C1BAD762

  F0CE002E 34A5C8E6 2F0FEC0D EA446175 68E5E4DC 80364FDA 785D5325 9494F54F

  2E3A606F 0CA6D9B3 F62A2E03 12D52642 0751B264 5771DC21 1C89C769 A3E6FBC2

  7B6EEF0C 87FB5064 E84E4BEF E7719B83 6361C932 8D8CEC14 A7E489AD 3F2B2664

  E48542F2 8950E13A BE15E345 25E25ACB 8C3FE033 1E35095A 84EA7E5D A1F59180

  0A2806B7 CB314125 618B01E9 56A2F63E 5F2FF3C4 43F61994 75834CA1 82423AC6

  BAC40930 A6E17502 51B95E64 8B020301 0001A382 01203082 011C301F 0603551D

  23041830 168014A1 725F261B 28984395 5D0737D5 85969D4B D2C34530 1D060355

  1D0E0416 04143C41 E28F0808 A94C2589 8D6DC538 D0FC858C 6217300E 0603551D

  0F0101FF 04040302 01063012 0603551D 130101FF 04083006 0101FF02 01003019

  0603551D 20041230 10300E06 0C2B0601 0401860E 01020103 01304406 03551D1F

  043D303B 3039A037 A0358633 68747470 3A2F2F63 726C2E75 73657274 72757374

  2E636F6D 2F55544E 2D555345 52466972 73742D48 61726477 6172652E 63726C30

  5506082B 06010505 07010104 49304730 4506082B 06010505 07300286 39687474

  703A2F2F 7777772E 75736572 74727573 742E636F 6D2F6361 63657274 732F5554

  4E416464 54727573 74536572 7665725F 43412E63 7274300D 06092A86 4886F70D

  01010505 00038201 010068AB FCEF806B 18B2B0B3 A34589CB 53C5A2E6 AF08A9FD

  FF0F49AC FFE49FD7 417CA3C5 A2E8AAE0 57212DC3 AA7C0C4C 280B79F4 EE4C32AD

  790E7EA2 5E34184F DF54F1BD 687CE3D3 D7465E6D 64C2F76D 8882730C EF9985EA

  A9EF324A F0839F73 910CA43E 2B3151A6 628F1584 F9A63A12 303FDA6E F8CCC719

  920F5CF4 FE17F195 0847522C 508FE89B A5EEAE70 33899182 FE30AA76 7659D76C

  18D32B12 5B1D281D 7871F6CD 36A2E907 48443BE7 576E820A ADC58ADD E853B471

  AF13D206 9D376D53 3F8A3508 FAFEA216 E6B96F5C 5639D6C6 AAEF1967 CE13C5B8

  9505FB0A 44C99FA9 40254B32 11AF07FE 08D54271 E9E1538B 151FDD2A 07957024

  6F645ED3 B7902E8B 21D8

      quit

crypto pki certificate chain trps1_server

certificate ca 00

  3082029F 30820208 02010030 0D06092A 864886F7 0D010104 05003081 97310B30

  09060355 04061302 55533111 300F0603 55040813 08436F6C 6F726164 6F311030

  0E060355 04071307 426F756C 64657231 16301406 0355040A 130D4369 73636F20

  53797374 656D7331 0C300A06 0355040B 13035354 47311D30 1B060355 04031314

  74727073 312D626C 64722E63 6973636F 2E636F6D 311E301C 06092A86 4886F70D

  01090116 0F777473 75694063 6973636F 2E636F6D 301E170D 30363130 32333230

  32363231 5A170D30 39303731 39323032 3632315A 30819731 0B300906 03550406

  13025553 3111300F 06035504 08130843 6F6C6F72 61646F31 10300E06 03550407

  1307426F 756C6465 72311630 14060355 040A130D 43697363 6F205379 7374656D

  73310C30 0A060355 040B1303 53544731 1D301B06 03550403 13147472 7073312D

  626C6472 2E636973 636F2E63 6F6D311E 301C0609 2A864886 F70D0109 01160F77

  74737569 40636973 636F2E63 6F6D3081 9F300D06 092A8648 86F70D01 01010500

  03818D00 30818902 818100BF F80B7E13 19C5AA37 D7433EDC 4EC5CAD8 40BEE950

  7C099395 997043C9 B9C4BCF6 DF97F091 0ECB7D06 F1B336C6 CD134A67 826B0182

  09535A4B 11EB4BE8 B46187CB BBD9FECB CB03AE65 8F2C5E7E 40A66FF2 899E2FF1

  CBC072B2 A9B537C0 84C9F873 8A141ED9 D8D15186 F7047400 BB8A2CA1 C59DEAD8

  DA09FBB3 6E67D8BF F6811102 03010001 300D0609 2A864886 F70D0101 04050003

  818100AC C6185869 1324F6BD 728A8D00 CEDF15E3 14671016 90ED8F7B 5FF72860

  8F9469D2 B344641D 75E4A566 BCB06ACE 21DFC2B3 041A961C 8A23610A 284BC399

  8E632BBA C734D76A 266E6A45 88DC366F C5E12E9E 087AC3AA 7FEE2089 C97821A7

  882BFEC3 26425299 11700277 B9E4EBCD 15A0B388 F8D4A102 E472A398 63E0D7DA 5BFBE1

      quit

crypto pki certificate chain TP-self-signed-1692929506

certificate self-signed 01

  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31363932 39323935 3036301E 170D3131 30383132 30343138

  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36393239

  32393530 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C244 5E9C2EA4 5D82D1A2 DF21A622 CE00615D C870747C E62E523C 3B5BC51B

  A1068F7A 89F41FEB 7AC69FE2 EF7B8B83 D4DC0CFF 1EB49258 0AFC0B3B EE42D006

  4891CFC9 2AAD262C BD432982 D6CA2035 73837FF0 13F9B8D3 21D4E7E6 A47EB596

  68AD71F2 2E56289D A2600DFD 89BA872D 2AA47F93 8A4FEEE3 D91BC85A D8E1A573

  E3FF0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06

  03551D11 04253023 8221456D 706F7269 756D5F52 6F752E67 7275706F 656D706F

  7269756D 2E636F6D 2E6D7830 1F060355 1D230418 30168014 7E6B5AEE 3149D3FA

  356CF0C0 0CF8271E CD1128AE 301D0603 551D0E04 1604147E 6B5AEE31 49D3FA35

  6CF0C00C F8271ECD 1128AE30 0D06092A 864886F7 0D010104 05000381 81004C81

  8192823A CD8BC83C B8E018FF 2B576CA9 241C0933 B9D2A5D1 A1BA00BB FCA15359

  F7EDDE01 8E44EAAB C6D93180 87EB8F1F FB55C417 9A6DDEB0 8A9B9BEB C3FCF0F2

  5F1CC4CD 02D06253 E1E6B12F FADE769C 0A9B2D41 D2E637C8 77D2FA15 40585316

  9347AA2D 7FBDFFE9 A4B1E2B9 9260D870 27172192 127663D3 2ACFCE5E 9D84

      quit

license udi pid CISCO2921/K9 sn FTX1510AK0V

!

!

username sidiags privilege 15 secret 5 $1$11/.$I7Kq7MT1EP2OeWPAXlovP0

username hguerrero privilege 3 secret 5 $1$..Y3$9JgdY9XhsnK4dD7N5W3SA/

username alozano privilege 3 secret 5 $1$/MEf$LfZ6mjng3xY0fDNFBCvZV1

!

redundancy

crypto ctcp

!

!

ip ssh version 2

!

class-map type inspect match-all filtering-exempt-hosts

match protocol http

match access-group 124

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 101

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any dmz

match protocol http

match protocol https

match protocol imap

match protocol smtp

match protocol pop3

class-map type inspect match-all ccp-cls--1

match class-map dmz

match access-group name Out-to-dmz

class-map type urlfilter trend match-any trend-block-categories

match  url category Pornography

match  url category Nudity

match  url category Peer-to-Peer

match  url category Software-downloads

match  url category Abortion

match  url category Spam

match  url category Streaming-media-MP3

match  url category Ringtones-Moblie-phone-Downloads

match  url category Military

match  url category Job-Search-Career

match  url category Gay-Lesbian

match  url category Games

match  url category Chat-Instant-Messaging

match  url category Adult-Mature-Content

match  url category Cult-Occult

match  url category Illegal-Questionable

match  url category Illegal-Drugs

match  url category Personals-Dating

match  url category Social-Networking

match  url category Entertainmemt

match  url category Marijuana

match  url category Pay-to-surf

match  url category Weapons

match  url category Violence-hate-racism

match  url category Sports

match  url category Internet-Radio-and-TV

match  url category Intimate-apparel-swimsuit

match  url category Alcohol-Tobacco

class-map type urlfilter trend match-any trend-block-reputation

match  url reputation ADWARE

match  url reputation PHISHING

match  url reputation SPYWARE

match  url reputation DIALER

match  url reputation DISEASE-VECTOR

match  url reputation HACKING

match  url reputation VIRUS-ACCOMPLICE

class-map type inspect match-all SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any -sdminspectclassmap-6

match protocol http

class-map type inspect match-any -sdminspectclassmap-4

match protocol http

class-map type inspect match-any -sdminspectclassmap-5

match protocol http

class-map type inspect match-any -sdminspectclassmap-2

match protocol http

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any -sdminspectclassmap-3

match protocol http

class-map type inspect match-any -sdminspectclassmap-1

match protocol http

class-map type inspect match-any sdm-service-ccp-inspect-1

match protocol imap

match protocol smtp

class-map type inspect match-any ccp-cls-icmp-access

match protocol tcp

match protocol udp

match protocol smtp

class-map type inspect match-any p2p

match protocol bittorrent

match protocol directconnect

match protocol fasttrack

match protocol edonkey

match protocol gnutella

match protocol kazaa2

match protocol winmx

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type urlfilter match-any permitted-sites

match  server-domain urlf-glob url-whitelist

class-map type inspect match-all ccp-cls-ccp-inspect-2

match access-group name LAN_to_out

class-map type inspect match-all ccp-cls-ccp-inspect-3

match access-group name phone

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-all ccp-cls-ccp-inspect-1

match class-map p2p

match access-group name p2pdeny

class-map type urlfilter match-any blocked-sites

match  server-domain urlf-glob url-blacklist

match  server-domain urlf-glob keyword-blacklist

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all filtered-hosts

match protocol http

match access-group 123

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-any pub

match protocol http

match protocol https

match protocol imap

match protocol icmp

match protocol pop3

match protocol pop3s

match protocol smtp

class-map type inspect match-any pub-1

match protocol http

match protocol https

match protocol imap

match protocol pop3

match protocol pop3s

match protocol smtp

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match class-map pub

match access-group name Published

match class-map pub-1

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect match-all ccp-protocol-imap

match class-map sdm-service-ccp-inspect-1

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-any pub-2

match protocol http

match protocol https

match protocol imap

match protocol pop3

match protocol pop3s

match protocol smtp

match protocol telnet

match protocol icmp

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  pass

class class-default

  pass log

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect urlfilter urlfilter-actions

parameter type urlfpolicy trend dynamic-parameters

class type urlfilter permitted-sites

  allow

class type urlfilter blocked-sites

  reset

  log

class type urlfilter trend trend-block-categories

  reset

  log

class type urlfilter trend trend-block-reputation

  reset

  log

policy-map type inspect ccp-inspect

class type inspect filtering-exempt-hosts

  inspect

class type inspect filtered-hosts

  inspect

  service-policy urlfilter urlfilter-actions

class type inspect ccp-protocol-imap

  pass

class type inspect ccp-protocol-pop3

  pass

class type inspect ccp-skinny-inspect

  pass

class type inspect ccp-protocol-im

  pass

class type inspect ccp-sip-inspect

  pass

class type inspect ccp-h323-inspect

  pass

class type inspect ccp-h323annexe-inspect

  pass

class type inspect ccp-h225ras-inspect

  pass

class type inspect ccp-h323nxg-inspect

  pass

class type inspect ccp-cls-ccp-inspect-1

  drop log

class type inspect ccp-cls-ccp-inspect-3

  pass

class type inspect ccp-cls-ccp-inspect-2

  pass

class class-default

  drop log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  allow

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect -sdminspectclassmap-4

  pass

class class-default

  pass

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect -sdminspectclassmap-3

  pass

class type inspect ccp-cls--1

  pass

class class-default

  pass log

policy-map type inspect ccp-pol-outToIn

class type inspect -sdminspectclassmap-2

  pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  pass

class type inspect CCP_PPTP

  pass

class class-default

  pass

policy-map type inspect sdm-permit-ip

class type inspect -sdminspectclassmap-1

  pass log

class type inspect SDM_IP

  pass

class class-default

  drop log

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

!

zone security in-zone

zone security out-zone

zone security ezvpn-zone

zone security dmz

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-zone-dmz source out-zone destination dmz

service-policy type inspect ccp-policy-ccp-cls--1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group Ezvpn

key XXXXX

dns 10.10.11.254 200.23.242.201

domain XXXXX

pool SDM_POOL_1

acl 102

max-users 10

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group Ezvpn

   client authentication list default

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address initiate

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set general esp-3des esp-md5-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set general

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.1

description LAN$FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 1 native

ip address 10.10.11.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface GigabitEthernet0/0.2

description Voice$FW_INSIDE$

encapsulation dot1Q 2

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface GigabitEthernet0/0.3

description Guest$FW_INSIDE$

encapsulation dot1Q 3

ip address 10.10.21.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface GigabitEthernet0/0.4

description DMZ$FW_INSIDE$

encapsulation dot1Q 4

ip address 172.16.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security dmz

!

interface GigabitEthernet0/1

description $ES_LAN$

no ip address

shutdown

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

ip address 148.244.114.206 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface Serial0/0/0

description $FW_OUTSIDE$

bandwidth 2048

bandwidth inherit

ip address 201.96.44.73 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

no clock rate 2000000

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Serial0/0/0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

ip local pool SDM_POOL_1 192.168.100.1 192.168.100.10

ip default-gateway 10.10.11.1

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 20

!

ip nat inside source list DMZ_to_Out interface Serial0/0/0 overload

ip nat inside source list Guest_to_Out interface Serial0/0/0 overload

ip nat inside source list Lan_Nat interface Serial0/0/0 overload

ip nat inside source static tcp 10.10.11.253 3389 interface Serial0/0/0 3389

ip nat inside source static tcp 10.10.11.247 110 interface Serial0/0/0 110

ip nat inside source static tcp 10.10.11.252 3101 interface Serial0/0/0 3101

ip nat inside source static tcp 10.10.11.247 25 interface Serial0/0/0 25

ip nat inside source static tcp 10.10.11.247 80 interface Serial0/0/0 80

ip nat inside source static tcp 10.10.11.247 443 interface Serial0/0/0 443

ip nat inside source list Phone-to-Out interface Serial0/0/0 overload

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip access-list extended DMZ_to_Out

permit ip 172.16.2.0 0.0.0.255 any

ip access-list extended Guest_to_Out

permit ip 10.10.21.0 0.0.0.255 any

ip access-list extended LAN_to_out

remark CCP_ACL Category=128

permit ip 10.10.0.0 0.0.255.255 any

ip access-list extended Lan_Nat

remark Nat allowing the internet traffic from inside to outside

remark CCP_ACL Category=2

permit ip 10.10.11.0 0.0.0.255 any

ip access-list extended Out-to-dmz

remark CCP_ACL Category=128

permit ip any any

ip access-list extended Phone-to-Out

permit ip 192.168.1.192 0.0.0.31 any

permit ip 192.168.1.0 0.0.0.31 any

ip access-list extended Published

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any host 201.96.44.73

permit ip any any

ip access-list extended p2pdeny

remark CCP_ACL Category=128

permit ip any any

ip access-list extended phone

remark CCP_ACL Category=128

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 10.10.11.247

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 201.96.44.72 0.0.0.3 any

access-list 100 permit ip any any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 172.16.2.254

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 123 remark Filtered hosts

access-list 123 permit ip any any

access-list 124 permit ip host 10.10.11.252 any

access-list 124 permit ip 192.168.1.0 0.0.0.255 any

access-list 124 permit ip host 10.10.11.80 any

access-list 124 permit ip host 10.10.11.81 any

access-list 124 permit ip host 10.10.11.82 any

access-list 124 permit ip host 10.10.11.83 any

access-list 124 permit ip host 10.10.11.84 any

access-list 124 permit ip host 10.10.11.85 any

access-list 124 permit ip host 10.10.11.86 any

access-list 124 permit ip host 10.10.11.87 any

access-list 124 permit ip host 10.10.11.88 any

access-list 124 permit ip host 10.10.11.89 any

access-list 124 permit ip host 10.10.11.79 any

access-list 124 permit ip host 10.10.11.78 any

access-list 124 permit ip host 10.10.11.77 any

access-list 124 permit ip host 10.10.11.76 any

access-list 124 permit ip host 10.10.11.75 any

access-list 124 permit ip host 10.10.11.74 any

access-list 124 permit ip host 10.10.11.73 any

access-list 124 permit ip host 10.10.11.72 any

access-list 124 permit ip host 10.10.11.71 any

access-list 124 permit ip host 10.10.11.70 any

access-list 124 permit ip host 10.10.11.69 any

access-list 124 permit ip host 10.10.11.68 any

access-list 124 permit ip host 10.10.11.67 any

access-list 124 permit ip host 10.10.11.66 any

access-list 124 permit ip host 10.10.11.65 any

access-list 124 deny   ip any any

access-list 124 permit ip host 10.10.21.80 any

access-list 199 permit ip 10.10.11.0 0.0.0.255 any

!

!

!

!

!

!

control-plane

!

!

banner login ^C

^C

!

line con 0

line aux 0

line vty 0 4

logging synchronous

transport input telnet ssh

line vty 5 15

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Super Bronze

VPN problem with DNS Server at central site

You have not configured NAT exemption. Please kindly add the following:

ip access-list extended Lan_Nat

1 deny ip 10.10.11.0 0.0.0.255 192.168.100.0 0.0.0.255

ip access-list extended Phone-to-Out

1 deny ip 192.168.1.192 0.0.0.31 192.168.100.0 0.0.0.255

2 deny ip 192.168.1.0 0.0.0.31 192.168.100.0 0.0.0.255

New Member

VPN problem with DNS Server at central site

Hi again, How annoying I am ?, ja, how  that take part of the problem ?, thanks

Super Bronze

VPN problem with DNS Server at central site

You would need to configure NAT exemption to be able to access the DNS server from the VPN client using its private IP.

New Member

VPN problem with DNS Server at central site

Well, I see that my DNS server even if it is in the VPN configuration, My router isnt replicating that DNS Server, I have to make a Nat Exception apart from those instructions you gave it to me ?

1065
Views
0
Helpful
11
Replies