DNS question with VPN

Hi Walter,

Thank you very much for your reply.

The 2 DNS servers are on the same LAN "inside".

Yes, that's the original VPN configuration, with the first DNS server, I have not added the new, 2nd DNS server yet.

The first DNS server has not been modified, either.

No, all the DNS servers are inside. The host names exist only with LAN IP addresses (foo.domain.com =

192.168.180.x), they were never intended to be visible with a public IP address.

Again, thank you for your kind reply.

Regards, Art

In article , wrote: :On a 1721 router I have the following issue:

:After establishing VPN connection (with an XP, using Cisco VPN client :v.4.0) some of the host names on the network (single domain, :AD-Integrated DNS zones, 2 DNS servers) return the LAN IP address :(192.168.x.x), while some of them - on the same LAN - return an :external IP address (67.x.x.x).

Are the two DNS servers on the same LAN, or is one perhaps on the outside?

:crypto isakmp client configuration group access : key Password_Here : dns 192.168.180.14 : wins 192.168.180.14

I notice you only specify one of the two DNS servers here?

:Hosts listed below in the router config will respond with 67.x.x.x IP, :while hosts not listed here respond with 192.168.180.x IP address.

:ip nat inside source static 192.168.180.106 67.x.x.8 extendable

At a guess -- the other DNS server is "outside' and has been configured with the 67.x.x.* IPs. If so then you want to enable automatic DNS translation on the reply packets coming back from it. I do not know how you specify that under IOS; on the PIX, it would be a matter of adding a 'dns' keyword to the static command.

I had a similar problem like yours and solved it. The problem was due to packets destined for your vpn client's address space (in your case from ip pool 'ippool') are got NATed and they shouldn't, so exclude all packets destined for 'ippool' range from NAT.

The only problem that I see in your situation is that you have DNS servers translated with static NAT entries.... IOS routers (12.3 or later I think) use something called ALG (application layer gateway) and translates dns payload packets (queries and responses), since this might be useful in NAT overlap config. This is enabled by default and I don't know how to get rid of it. So, I simply got a new DNS server which I placed into my DMZ and this one resolves my public (Internet) dns zone...

But try with modifying NAT config as I explained at the beginning of my post and if it doesn't work temporary clear static NAT config if possible to see if this caused your problem... Let me know the results...

B.R. Igor