Announcement

Collapse
No announcement yet.

Cisco Pix 515e, client dns resolution issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Pix 515e, client dns resolution issue

    Hi,

    I've searched and searched on this problem, so I hope someone can help me!

    Background:

    Cisco Pix 515e, a SBS 2003 server. - an isp that recently changed its dns server ip address.

    We lost internet one day, and narrowed it down to the dns server, this was changed in DNS settings on the sbs server so the forwarder was pointed to a working dns server, and internet returned internally fine .

    Next time someone logged on the the vpn via the pix using cisco vpn client software, they could not see the server, authenticated fine which is done with Radius in the IAS on the sbs server but could not browse files / folder etc by server name, unless they typed in the servers ip address, then they could see it fine.

    I have come to this pix not knowing an awful lot. was configured some time ago before me, I've worked on a few 501's but this is pretty complicated.

    Has anyone got any ideas why the vpn users cannot resolve dns in this situation?

    Thanks Duncan

    Cisco PIX Security Appliance Software Version 7.0(4)

    AND THE CISCO CONFIG: (slight mods to names and ip) is attached!
    Attached Files

  • #2
    Re: Cisco Pix 515e, client dns resolution issue

    Changing your servers public DNS lookup should have no affect on VPN clients for this situation.

    Personally I would remove your encrypted passwords and change your Public IP addresses in your config straight away. (just noticed the IP edit note, apologies)
    You have
    ssh 0.0.0.0 0.0.0.0 outside
    therefore I would also change you password as well because this is a public forum.

    I would remove this command
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    unless your 2003 box has been setup with this:
    http://articles.techrepublic.com.com...1-5091116.html
    (the above may not be required anymore so try without this first)

    finally this:
    tunnel-group radius12 general-attributes
    address-pool mediumpool
    authentication-server-group none
    authentication-server-group (outside) partnerauth
    default-group-policy radius12
    Can be changed to add in the DNS IP address to give to the clients when they connect.
    I can't get access to an ASA right now but if you use this link:
    http://www.cisco.com/en/US/docs/secu...de/vpnadd.html
    and do something like:
    hostname(config)# tunnel-group radius12 general-attributes
    hostname(config-general)# dns-server 192.168.1.254
    it should help, clients would need to reconnect and you should see the DNS server properties in the client profile.



    finally maybe settings these to be more stringent as well:
    telnet 0.0.0.0 0.0.0.0 inside
    http 194.129.5.0 255.255.255.192 outside
    http 192.168.1.0 255.255.255.0 inside
    Last edited by AndyJG247; 28th May 2008, 12:12. Reason: Just noticed the IP edit message you wrote, apologies :)
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco Pix 515e, client dns resolution issue

      Originally posted by AndyJG247 View Post
      Changing your servers public DNS lookup should have no affect on VPN clients for this situation.

      Personally I would remove your encrypted passwords and change your Public IP addresses in your config straight away. (just noticed the IP edit note, apologies)
      You have
      ssh 0.0.0.0 0.0.0.0 outside
      therefore I would also change you password as well because this is a public forum.

      Fear not, I changed the usernames and put random text in the encrypted password info too.

      I'll have a look at these suggestions and thanks for such a quick response.

      I'll be back with results...

      Comment


      • #4
        Re: Cisco Pix 515e, client dns resolution issue

        No probs, I edited after I read you post again
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Cisco Pix 515e, client dns resolution issue

          I can't see any vpn group related attributes in your config.

          Something like

          vpngroup groupname address-pool poolname
          vpngroup groupname dns-server x.y.z.t
          vpngroup groupname wins-server a.b.c.d
          vpngroup groupname default-domain example.com
          vpngroup groupname split-tunnel 80
          vpngroup groupname idle-time 1800


          http://www.cisco.com/en/US/docs/secu...e/basclnt.html
          Regards,
          Csaba Papp
          MCSA+messaging, MCSE, CCNA
          ...............................
          Remember to give credit where credit is due and leave reputation points where appropriate
          .................................

          Comment


          • #6
            Re: Cisco Pix 515e, client dns resolution issue

            I think that was just the 6 software or am I incorrect?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Cisco Pix 515e, client dns resolution issue

              If you notice the raduis12 tunnel_group, vpn client logs in using that, then the logon to a network check box causes the username and password box to appear during vpn connection, so the user network authenitcation occurs via IAS on the sbs server.

              We've gone a bit further now, having tried forcing a dns server address, and still its not working! so vpn client provides pc with correct ip for dns server, so could there be wins or netbios issues here.



              Originally posted by netxt View Post
              I can't see any vpn group related attributes in your config.

              Something like

              vpngroup groupname address-pool poolname
              vpngroup groupname dns-server x.y.z.t
              vpngroup groupname wins-server a.b.c.d
              vpngroup groupname default-domain example.com
              vpngroup groupname split-tunnel 80
              vpngroup groupname idle-time 1800


              http://www.cisco.com/en/US/docs/secu...e/basclnt.html

              Comment


              • #8
                Re: Cisco Pix 515e, client dns resolution issue

                If you want browsing then force a WINS server too.
                Can you client ping the IP of the SBS server? If the IP works and they have the correct DNS server now then I would expect it to work.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Cisco Pix 515e, client dns resolution issue

                  A collegue of mine has figured it out, and it was obvious!!! well ok it should have been obvious, but thanks for the intelligent help! its always appreciated it helped us track it down.

                  The problem lay in the vpn group policy, the default domain value was defined incorrectly, presume it had worked somehow before we reconfigured and refreshed dns after name server changes. where it stated -ipswitch.org.uk it should have been without the -ipswitch as the default server domain does not have it either. (we do own the wrongly defined address, but should not have been in the config!)

                  With this removed suddenly we can connect and resolve computer names!!

                  But particular thanks Andy, we have impremented the tightening up you r suggested as obviously it is leaving things open with wildcard ssh ip addresses, especially when some have been defined anyway!

                  Cheers All!

                  Duncan

                  - all names and ip addresses changed to protect the innocent.


                  Originally posted by AndyJG247 View Post
                  If you want browsing then force a WINS server too.
                  Can you client ping the IP of the SBS server? If the IP works and they have the correct DNS server now then I would expect it to work.
                  Last edited by cavdinks; 28th May 2008, 15:50.

                  Comment


                  • #10
                    Re: Cisco Pix 515e, client dns resolution issue

                    Glad you got it sorted, thanks for letting us know.
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment

                    Working...
                    X