I'm new to this group and new to PIX (so be gentle). I've had a pretty thorough look through the posts and done as much homework as I can but I'm stuck. Any help or suggestions would be welcomed.
We have a PIX 525 running 6.3(4) with user VPN 4.6 clients connecting to the outside interface. DNS queries from the client side are unable to resolve. If I run 'nslookup host' the client queries locally configured DNS first and eventually hits the correct DNS on the PIX, but the query fails (*** Can't find server name for address : Non-existent domain). If I run 'nslookup' as a console and explicitly set the server to 10.1.1.252, the query works fine. Access to all addresses and ports in the config behave as expected.
The VPN is set up to allow only DNS queries to 2 internal DNS servers and 3389 to a Terminal Server. The VPN address pool is 10.1.1.1 -
10.1.1.250. The TS and DNS servers each have a NAT with matching access lists for 10.1.1.251, .252 and .253 respectively.We chose this approach to lock down access to the machines. Everything works fine if we use NAT exemption, but that does not allow us to lock down the tcp ports. We don't want to use policy NAT because it is not supported by the PDM.
The VPN points the client to 10.1.1.252 and .253 as primary and secondary DNS hosts. The DNS servers are configured with a zone specifically for the user VPN (depicted in the config as corp.vpn). The DNS queries append the correct domain name. The ip stack has the correct routing table and the zone is listed in the top of the DNS suffix search list on the client side.
I can't figure out if this is a VPN client issue, a PIX config issue or a DNS config issue, and I don't know if the approach is flawed or I'm just missing something simple.
Here is a partial dump of the config (modified for security): : Saved : Written by enable_15 at 17:58:03.443 UTC Sat Dec 1 2007 PIX Version 6.3(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif gb-ethernet0 other security80 fixup protocol dns access-list acl_uservpn permit tcp 10.1.1.0 255.255.255.0 host
10.1.1.251 eq 3389 access-list acl_uservpn permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.252 eq domain access-list acl_uservpn permit udp 10.1.1.0 255.255.255.0 host 10.1.1.252 eq domain access-list acl_uservpn permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.253 eq domain access-list acl_uservpn permit udp 10.1.1.0 255.255.255.0 host 10.1.1.253 eq domain access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.0 mtu outside 1500 mtu inside 1500 mtu other 1500 ip local pool vpnpool1 10.1.1.1-10.1.1.250 static (inside,outside) tcp 10.1.1.251 3389 192.168.1.1 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp 10.1.1.252 domain 192.168.1.2 domain netmask 255.255.255.255 0 0 static (inside,outside) udp 10.1.1.252 domain 192.168.1.2 domain netmask 255.255.255.255 0 0 static (other,outside) tcp 10.1.1.253 domain 192.168.1.3 domain netmask 255.255.255.255 0 0 static (other,outside) udp 10.1.1.253 domain 192.168.1.3 domain netmask 255.255.255.255 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup group_name address-pool vpnpool1 vpngroup group_name dns-server 10.1.1.252 10.1.1.253 vpngroup group_name default-domain corp.vpn vpngroup group_name idle-time 1800 vpngroup group_name password ********VPN Client = 4.6.01.0019 OS = WinXP SP2