Announcement

Collapse
No announcement yet.

cisco VPN WINS breaks DNS?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco VPN WINS breaks DNS?

    I have an ASA 5505 with remote access VPN setup. My domain controller is also my DNS and WINS server. I have the firewall set up for splitDNS. I cannot resolve anything via IP accross the VPN unless I remove the WINS server config, so that the client just gets a DNS server address. Once I remove the DNS entry, everything works fine. The DC/DNS/WINS server is 2k3 SP2, and my firewall is running 804-23, and using vpn client version 5.

  • #2
    Re: cisco VPN WINS breaks DNS?

    That sounds a bit odd, can you post the relevant bit of the config? (not that I can think of any reason it would affect anything in this way).

    What is the result when it is enabled? DO you get the wrong IP, does it just fail?
    Does WINS work normally internally from that server?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: cisco VPN WINS breaks DNS?

      DNS just doesnt resolve. I get assigned the correct WINS and DNS server addresses. When I try to ping or resolve any names, it just comes back cannot find/cannot resolve. However when I remove the WINS assignment from the VPN config on the firewall, and reconnect, just getting the DNS server assingment, it works flawlessly. I do not have this problem internally(however I have had some wierd resolution issues). I do need to run WINS for the webvpn CIFS sharing to work correctly.

      Comment


      • #4
        Re: cisco VPN WINS breaks DNS?

        Does it say the same if you ping server and if you ping server.domain.com ?
        Are the entries in WINS correct for the servers?
        DCs should only have a single WINS server stipulated. All Exchange servers should be registered in WINS. Do you have static entries in there?
        How big is the network (i.e. does it replicate wins over a large area?
        Do DCDiag and NetDiag pass ok?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: cisco VPN WINS breaks DNS?

          small network, yes responds the same way if I use the FQDN or just the hostname. just One DNS/WINs server in the network. WINS appears to be set correctly. I would think that even if WINS doesnt have an aswer to the query that it would resort to DNS.

          Comment


          • #6
            Re: cisco VPN WINS breaks DNS?

            There must be something else going on.
            Is there a firewall on your DC?
            Could you post the edited config?
            Maybe also a wireshark trace of the drops etc?
            I'm kinda intrigued as to the answer for this!
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: cisco VPN WINS breaks DNS?

              There is no firewall on the DC. Also, even if there were something blocking WINS, why wouldnt it just fall back to DNS for the lookup?

              Comment


              • #8
                Re: cisco VPN WINS breaks DNS?

                I agree but you could also throw in comments like "I have WINS and DNS setup and don't suffer these problems" so I'm trying to get a broader picture.
                Any thoughts on posting the edited config?

                Have you tried an older version of the client too?
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: cisco VPN WINS breaks DNS?

                  group-policy RAVPN attributes
                  wins-server none
                  dns-server value 192.168.2.25 4.2.2.2
                  split-tunnel-policy tunnelspecified
                  split-tunnel-network-list value SPLIT_TUNNEL
                  default-domain value homedomain.local
                  split-dns value homedomain.local
                  address-pools value vpnpool

                  I changed to WINS-server none when the problem was happening. I had it wins-server value 192.168.2.25

                  Comment


                  • #10
                    Re: cisco VPN WINS breaks DNS?

                    That looks ok, what about the rest of the config though? The ACLs, no nat etc?
                    Have you tried an older client too?
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: cisco VPN WINS breaks DNS?

                      Nonat set up for traffic going from 192.168.0.0 to 10.0.2.0, and set for VPN traffic to bypass ACLS.

                      Comment


                      • #12
                        Re: cisco VPN WINS breaks DNS?

                        Without being able to read the config or get Wireshark / syslog reports there isn't really much more I can guess at. It isn't "normal" I know that though!
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: cisco VPN WINS breaks DNS?

                          Honestly I think I should have posted in the Server 2000/2003 forum. I do not believe this to be a ASA problem. Would it be possible to have this post copied so that it is visibile in both forums?

                          Comment


                          • #14
                            Re: cisco VPN WINS breaks DNS?

                            We don't allow having duplicated threads. However We can move threads if needed.
                            However not providing the requested info (well actually you are ignoring it) I'm more tempted to close the thread rather than moving it.
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: cisco VPN WINS breaks DNS?

                              With all due respect, that comment was not called for. I was requesting it moved because we have reached a conclusion that this is likely not a firewall issue, but a MS issue. I did not request the thread closed. I was not "ignoring" the request for the config, but rather trying to focus on the real cause, and did not see it as necessary. I fail to see how asking for a thread to be copied or moved equates to requesting it closed. However, since it appeared to offend someone that I did not post the config, it is below. I have blanked out any public IPs, usernames/passwords, and crypto keys.


                              HOMEDSLASA1# sh run
                              : Saved
                              :
                              ASA Version 8.0(4)23
                              !
                              hostname HOMEDSLASA1
                              domain-name homedomain.local

                              !
                              interface Vlan1
                              nameif inside
                              security-level 100
                              ip address 192.168.1.3 255.255.255.0
                              !
                              interface Vlan2
                              nameif outside
                              security-level 0
                              ip address ********** 255.255.255.248
                              !
                              interface Ethernet0/0
                              !
                              interface Ethernet0/1
                              !
                              interface Ethernet0/2
                              !
                              interface Ethernet0/3
                              !
                              interface Ethernet0/4
                              !
                              interface Ethernet0/5
                              !
                              interface Ethernet0/6
                              !
                              interface Ethernet0/7
                              switchport access vlan 2
                              !
                              boot system disk0:/asa804-23-k8.bin
                              ftp mode passive
                              dns domain-lookup inside
                              dns domain-lookup outside
                              dns server-group DefaultDNS
                              domain-name homedomain.local
                              dns server-group homeDNS
                              name-server 192.168.2.25
                              domain-name homedomain.local
                              access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 10.0.2.0 255.255.255.0
                              access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 10.0.1.0 255.255.255.0
                              access-list SPLIT_TUNNEL standard permit 192.168.2.0 255.255.255.0
                              access-list SPLIT_TUNNEL standard permit 192.168.3.0 255.255.255.0
                              access-list SPLIT_TUNNEL standard permit 192.168.6.0 255.255.255.0
                              access-list SPLIT_TUNNEL standard permit 192.168.36.0 255.255.255.0
                              access-list SPLIT_TUNNEL standard permit 192.168.49.0 255.255.255.0
                              access-list inbound extended permit tcp any host ******* eq 3728
                              access-list inbound extended permit tcp any host ******* eq 55749
                              access-list inbound extended permit tcp any host ******* eq smtp
                              access-list inbound extended permit icmp any any echo-reply
                              access-list inbound extended permit icmp any any time-exceeded
                              access-list inbound extended permit tcp any host ****** eq 24
                              pager lines 24
                              logging console debugging
                              mtu inside 1500
                              mtu outside 1500
                              ip local pool vpnpool 10.0.2.100-10.0.2.150 mask 255.255.255.0
                              icmp unreachable rate-limit 1 burst-size 1
                              asdm image disk0:/asdm-61557.bin
                              no asdm history enable
                              arp timeout 14400
                              global (outside) 1 *********
                              nat (inside) 0 access-list NONAT
                              nat (inside) 1 192.168.0.0 255.255.0.0
                              static (inside,outside) tcp ********* 3728 192.168.36.21 3728 netmask 255.255.255.255
                              static (inside,outside) tcp ********* 55749 192.168.36.21 55749 netmask 255.255.255.255
                              static (inside,outside) tcp ********* smtp 192.168.36.32 smtp netmask 255.255.255.255
                              static (inside,outside) tcp ********* 24 192.168.1.2 ssh netmask 255.255.255.255
                              access-group inbound in interface outside
                              route outside 0.0.0.0 0.0.0.0 ******* 1
                              route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
                              timeout xlate 3:00:00
                              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                              timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                              timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                              timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                              timeout tcp-proxy-reassembly 0:01:00
                              dynamic-access-policy-record DfltAccessPolicy
                              aaa-server homedomainradius protocol radius
                              aaa-server homedomainradius (inside) host 192.168.2.25
                              aaa-server homedomaintacacs protocol tacacs+
                              aaa-server homedomaintacacs (inside) host 192.168.2.13
                              aaa-server homeradius protocol radius
                              aaa authentication ssh console homedomaintacacs LOCAL
                              aaa authentication enable console homedomaintacacs LOCAL
                              http server enable
                              http 192.168.0.0 255.255.255.255 inside
                              http 192.168.0.0 255.255.0.0 inside
                              http 10.0.2.0 255.255.255.0 inside
                              no snmp-server location
                              no snmp-server contact
                              snmp-server enable traps snmp authentication linkup linkdown coldstart
                              crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
                              crypto ipsec security-association lifetime seconds 28800
                              crypto ipsec security-association lifetime kilobytes 4608000
                              crypto dynamic-map dynmap 5000 set transform-set myset
                              crypto map dynmap 5000 ipsec-isakmp dynamic dynmap
                              crypto map dynmap interface outside
                              crypto isakmp enable outside
                              crypto isakmp policy 5000
                              authentication pre-share
                              encryption aes-256
                              hash sha
                              group 2
                              lifetime 86400
                              telnet timeout 5
                              ssh 192.168.0.0 255.255.0.0 inside
                              ssh 10.0.2.0 255.255.255.0 inside
                              ssh 0.0.0.0 0.0.0.0 outside
                              ssh timeout 5
                              ssh version 2
                              console timeout 0
                              management-access inside
                              threat-detection basic-threat
                              threat-detection statistics access-list
                              no threat-detection statistics tcp-intercept
                              webvpn
                              enable outside
                              svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
                              svc enable
                              tunnel-group-list enable
                              group-policy DfltGrpPolicy attributes
                              vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
                              group-policy RAVPN internal
                              group-policy RAVPN attributes
                              wins-server none
                              dns-server value 192.168.2.25 4.2.2.2
                              split-tunnel-policy tunnelspecified
                              split-tunnel-network-list value SPLIT_TUNNEL
                              default-domain value homedomain.local
                              split-dns value homedomain.local
                              address-pools value vpnpool
                              webvpn
                              hidden-shares visible
                              file-entry enable
                              file-browsing enable
                              url-entry enable
                              auto-signon allow ip 192.168.2.0 255.255.255.0 auth-type all
                              auto-signon allow ip 192.168.6.0 255.255.255.0 auth-type all
                              auto-signon allow ip 192.168.36.0 255.255.255.0 auth-type all
                              vpn-group-policy RAVPN
                              tunnel-group RAVPN type remote-access
                              tunnel-group RAVPN general-attributes
                              authentication-server-group homedomainradius
                              tunnel-group RAVPN webvpn-attributes
                              nbns-server 192.168.2.25 timeout 2 retry 2
                              group-alias homedomain enable
                              group-url ******* enable
                              dns-group homeDNS
                              tunnel-group RAVPN ipsec-attributes
                              pre-shared-key *
                              !
                              class-map inspection_default
                              match default-inspection-traffic
                              !
                              !
                              policy-map type inspect dns preset_dns_map
                              parameters
                              message-length maximum 512
                              policy-map global_policy
                              class inspection_default
                              inspect dns preset_dns_map
                              inspect ftp
                              inspect h323 h225
                              inspect h323 ras
                              inspect netbios
                              inspect rsh
                              inspect rtsp
                              inspect skinny
                              inspect esmtp
                              inspect sqlnet
                              inspect sunrpc
                              inspect tftp
                              inspect sip
                              inspect xdmcp
                              !
                              service-policy global_policy global
                              prompt hostname context

                              Comment

                              Working...
                              X