1. Home
  2. Cisco Systems
  3. DNS Issue over Site -Site VPN Tunnel.

DNS Issue over Site -Site VPN Tunnel.

Hi,

Have a problem with DNS requests over a IPSEC site - site VPN using a Cisco 837 at either end. We can ping the DNS server IP address at the remote end of the tunnel but can not ping the server name or join the domain etc. We can browse the server using the IP address without any issue. Configs below.

!This is the running config of the router: Remote Router !---------------------------------------------------------------------------- !version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! no logging buffered enable secret 5 $1$UeOB$18cSXwZSBc6vkttEgbFGP0 ! username CRWS_dheeraj privilege 15 password 7

03400A4F315E276D0A06480A24371B0D50727E7C796B637340 username CRWS_Ritesh privilege 15 password 7 100A585D3246142A480B7B24170D23347342504257530F0C080A username CRWS_Vijay privilege 15 password 7 125D5453255A0A256E2475270010321256465654000E0D000D5C username CRWS_Shashi privilege 15 password 7 06425E657B1F0F38411843043F213A2A7C7162657043564756 username CRWS_Bijoy privilege 15 password 7 09081F4D2E5411334F0355251801383264774051405254050909 username CRWS_Gayatri privilege 15 password 7 1453434F3B552C0A6027623A11361717525302080E010C5E57 username CRWS_Sangeetha privilege 15 password 7 1453434F3B552C0A6027623A113617175151070F080A0D5C5548 username CRWS_Prem privilege 15 password 7 0242551F3C570900084158163632020A5D5C7373767A62627741 username CRWS_Jaidil privilege 15 password 7 015757406C5A002E65431F062A2007135A5F567E7C7571626C7A username CRWS_Giri privilege 15 password 7 114D484120430D2D40257A2B1B162523425040515205010B040D username Router password 7 06211D7542495A2E554716 no aaa new-model ip subnet-zero ip name-server 192.168.20.1 ip dhcp excluded-address 192.168.20.1 ip dhcp excluded-address 192.168.20.3 ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 0 xxxxxxxxx address 80.68.39.234 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to80.68.39.234 set peer 80.68.39.234 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.20.254-255.255.255.0$ETH-LAN$ ip address 192.168.20.254 255.255.255.0 ip access-group 122 out ip nat inside ip tcp adjust-mss 1452 hold-queue 100 out ! interface ATM0 no ip address atm vc-per-vp 64 no atm ilmi-keepalive pvc 0/38 pppoe-client dial-pool-number 1 ! dsl operating-mode auto ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 ip address 80.68.42.226 255.255.255.240 ip access-group 111 in ip mtu 1492 ip nat outside ip inspect myfw out encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer remote-name redback dialer-group 1 ppp authentication pap chap callin ppp chap hostname snipped-for-privacy@datadsl.co.uk ppp chap password 7 040952535A20191B08 ppp pap sent-username snipped-for-privacy@datadsl.co.uk password 7 124B5C42470A59512B crypto map SDM_CMAP_1 ! ip nat inside source static udp 192.168.20.3 47 interface Dialer1 47 ip nat inside source static tcp 192.168.20.3 47 interface Dialer1 47 ip nat inside source static tcp 192.168.20.3 3101 interface Dialer1 3101 ip nat inside source static tcp 192.168.20.3 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.20.1 443 interface Dialer1 443 ip nat inside source static tcp 192.168.20.1 3389 interface Dialer1 3389 ip nat inside source static udp 192.168.20.3 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.20.1 1433 interface Dialer1 1433 ip nat inside source static udp 192.168.20.1 1433 interface Dialer1 1433 ip nat inside source static tcp 192.168.20.1 50 interface Dialer1 50 ip nat inside source static udp 192.168.20.1 50 interface Dialer1 50 ip nat inside source static tcp 192.168.20.1 80 interface Dialer1 80 ip nat inside source static tcp 192.168.20.1 110 interface Dialer1 110 ip nat inside source static tcp 192.168.20.1 25 interface Dialer1 25 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255 log access-list 102 remark SDM_ACL Category=18 access-list 102 remark IPSec Rule access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255 log access-list 102 permit ip 192.168.20.0 0.0.0.255 any access-list 111 permit tcp any any eq smtp access-list 111 permit tcp any any eq pop3 access-list 111 permit tcp any any eq www access-list 111 permit udp any any eq 50 access-list 111 permit tcp any any eq 50 access-list 111 permit udp any any eq 1433 access-list 111 permit tcp any any eq 1433 access-list 111 permit udp any any eq 1723 access-list 111 permit tcp any any eq 3389 access-list 111 permit tcp any any eq 443 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 3101 access-list 111 permit tcp any any eq 47 access-list 111 permit udp any any eq 47 access-list 111 permit tcp any any eq telnet access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any access-list 122 deny tcp any any eq telnet access-list 122 permit ip any any dialer-list 1 protocol ip permit route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! end

!This is the running config of the router: Local Router !---------------------------------------------------------------------------- !version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging ! username chris privilege 15 secret 5 $1$jpZi$tKjkGHLhqtyY.TnMR/1f91 username robin privilege 15 secret 5 $1$O0tV$BiT9JZDMLXrGKmDl5DQap0 no aaa new-model ip subnet-zero ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 192.168.50.1 192.168.50.9 ip dhcp excluded-address 192.168.50.254 ! ip dhcp pool CLIENT import all network 192.168.50.0 255.255.255.0 default-router 192.168.50.254 dns-server 192.168.50.254 80.68.34.6 lease 0 2 ! ! ip name-server 80.68.34.6 ip name-server 80.68.34.8 ip name-server 192.168.20.1 ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxxxx address 80.68.42.226 ! ! crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 2 ipsec-isakmp ! Incomplete description Tunnel to80.68.42.226 set peer 80.68.42.226 set transform-set ESP-3DES-SHA2 match address 103 ! crypto map SDM_CMAP_2 1 ipsec-isakmp description Tunnel to80.68.42.226 set peer 80.68.42.226 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface Ethernet0 description $ETH-LAN$ ip address 192.168.50.254 255.255.255.0 ip nat inside ip tcp adjust-mss 1412 hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer0 ip address 80.68.39.234 255.255.255.240 ip mtu 1452 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@datadsl.co.uk ppp chap password 7 10160C18034610580D ppp pap sent-username snipped-for-privacy@datadsl.co.uk password 7

135D12130D5D06792A crypto map SDM_CMAP_2 crypto ipsec df-bit clear ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip http server no ip http secure-server ! ! access-list 1 remark INSIDE_IF=Ethernet0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 remark SDM_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 deny ip 80.68.39.224 0.0.0.15 192.168.20.0 0.0.0.255 access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 101 permit ip 192.168.50.0 0.0.0.255 any dialer-list 1 protocol ip permit route-map SDM_RMAP_1 permit 1 match ip address 101 ! ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 login local transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end
Reply to
Knutts
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.