This topic contains 9 replies, has 3 voices, and was last updated by Anonymous 1 year, 10 months ago.
April 13, 2017 at 9:17 am #166964
I may have the topic wrong, not sure the right word to describe what I’m trying to do.
I have a site to site vpn set up in which computers on 1 side can ping server ip address on other side. But i need to be able to ping hostname of the server, and the only way i can do it is if I edit the host file on the computers. Is there something i can add in a cisco configuration to eliminate editing the host file. I was reading on Mapping Hostnames to IP Addresses, but I’m not sure if that’s the right thing. It has a step of entering in a port #.
I have cisco 1941, ASA 5510, ASA 5515. If there is a way, and someone could show me how to do, or lead me in the right direction on 1 of these, i should be able to figure out the others.
Also, i have a Cisco on one side, and Sophos UTM 320 on other. Would i have to do on both sides? Sophos on computer side. Hope not, cause then i’d have to figure out the Sophos.
ThanksApril 14, 2017 at 2:04 am #245623
Are both sides on the same company network? i.e. same company for both sides of the tunnel?
If it were my network i’d be looking at using DNS to accomplish this. We have many, many sites and i can ping any host in any site and all i require is DNS configured properly.
Site 1 and Site 2 should in essence, if they are the same company, have a DNS server on each side.
A bit more about your setup would help us.April 17, 2017 at 8:52 am #363134
yes, i have 1 dns server on 1 side(Server Side), if i static the ipv4 dns on the computers to point to my dns server it works, problem is, most computers are laptops, when employees take them home , the alternative dns server…google, comcast, wont always take over, will still look for my dns server.
Not great at understanding DNS, but if i set up a DNS server on the computer side, set up a forwarding address of the ip address of the server i’m trying to resolve, even though it lives on the other side, would that be configuring it correctly?
i have my cisco 1921 dns on the compuer side, set up to point to my dns server, but that doesn’t work. Was hoping there was something i could do in cisco.
AnonymousApril 17, 2017 at 12:10 pm #372039
How do you handle host addresses on the ‘computer side’? If there’s DHCP working, that address lease should include a DNS server address. Cisco devices routinely include the ability to issue addresses, so as long as that’s configured correctly, and the tunnel is up between sites, you should be fine. For those devices that travel, when they’re not connected to your system, they should be getting DNS from wherever they’re getting their addresses from at that point in time.
If you’re using manual IPs assigned to clients on the computer side, how do they deal with not being connected when they’re away?April 17, 2017 at 6:08 pm #245626
As with Rickles you will need a DHCP server setup so that your clients can receive an IP address and then the DNS server IP address, this can be across a VPN tunnel.
Your clients won’t work from home unless you are connected to a VPN and able to get a DNS address from that, remember your internal addresses are not visible on the internet.April 18, 2017 at 7:20 am #363135RicklesP;n510275 wrote:How do you handle host addresses on the ‘computer side’? If there’s DHCP working, that address lease should include a DNS server address. Cisco devices routinely include the ability to issue addresses, so as long as that’s configured correctly, and the tunnel is up between sites, you should be fine.
I have my DNS server address in the DHCP config, but for some reason it doesn’t work, I assumed that was all i needed to do. This particular site to site has been up for several years, but i haven’t been in a position where i had to rely on a hostname.
We got a new software company for one of our programs in which i had to set up on about 75 computers. I had to set up a fax server, (This was the server you were helping me with earlier with the RAID issue…(Thanks again for your help!!!)) and they programmed their side to look for the hostname of the fax server, so each one of these computers needs to be able to ping the hostname.RicklesP;n510275 wrote:If you’re using manual IPs assigned to clients on the computer side, how do they deal with not being connected when they’re away?
I used to, DNS only, but I’ve had several phone calls that people couldn’t get on the internet, and it was the dns, so i did away with static’ing the laptops.wullieb1;n510276 wrote:Your clients won’t work from home unless you are connected to a VPN and able to get a DNS address from that, remember your internal addresses are not visible on the internet.
yea, I use Cisco Client, and Anyconnect, i get my DNS server ip, but i still have to enter the ip and hostname in the hostname file, for it to ping.
Now when you guys mention DHCP SERVER, that makes me think of windows server Role- DHCP, or are you referring to the cisco router as being the server?
AnonymousApril 18, 2017 at 12:44 pm #372040
As long as you have something which controls DHCP on your network, it doesn’t really matter whether it’s a role on a Windows server or an available function turned on in a piece of networking kit (like an ASA). Since that’s the first thing a client needs, that should work, always. And DHCP leases can contain a lot of different information if needed, but the most basic is A) the client IP address being offered, and B) the DNS address(s). You described DNS server ip given by some DHCP service but you still need to use a host file entry. That tells us your DNS info isn’t working, or at least isn’t contactable by the clients.
What happens when you ping the DNS ip from a client computer? Not the DNS server name, but the ip itself? If it doesn’t answer that, you have deeper issues. If the DNS server is up, and the services are all running and Active Directory is working OK where the servers are but not for the clients, your existing site-to-site config needs work. Best practice as has been mentioned before is to have DNS served at each site (maybe with DHCP and a DC?), just for situations like this.
You’d mentioned before about the kit at each end of your site-to-site: your traffic rules should allow port 53 UDP and TCP to ensure your server-side DNS is contactable from your clients. If the DNS server ping test I described works but pings to names don’t unless you have a hosts entry, then your tunnel is almost certainly the problem.April 20, 2017 at 11:23 am #363136
Had my first grandson yesterday, wasn’t able to read post till this morning. Thanks for the explination!!!I I’ve always meant to ask that question, but keep forgetting. I can ping the ip address…… Ok, thanks for the info!!! I’ll check the ports and do some more troubleshooting.April 20, 2017 at 6:35 pm #245635Kobe 310;n510310 wrote:Had my first grandson yesterday.
Many congratulations. Its a great feeling isn’t it.
You must be logged in to reply to this topic.