[c-nsp] ASA VPN DNS Problem --- Sorry if this is a repeat (I didn't see it in the digest)

Butts, Daniel dbutts at fcg.com
Mon Jul 2 23:36:54 EDT 2007


I have configured my ASA5510 for remote access VPN and everything works fine, but the client doesn't get the internal DNS servers and therefore cannot ping, etc. but hostname.

I am using the 4.6.02.0011 client and the ASA config is as follows:

...
interface Ethernet0/1
nameif dsl1
security-level 0
ip address ***** 255.255.255.248
...
interface Ethernet0/3
nameif secure_lan
security-level 100
ip address 10.1.2.254 255.255.255.0
...
dns timeout 30
dns domain-lookup secure_lan
dns name-server 10.1.1.11
access-list dsl1_to_lan extended permit icmp any any echo-reply
access-list dsl1_to_lan extended permit icmp any any time-exceeded
access-list dsl1_to_lan extended permit icmp any any unreachable
access-list ballard_to_vietnam extended permit ip 10.1.0.0 255.255.0.0 172.16.51.0 255.255.255.192
access-list inside_nat0_outside extended permit ip 10.1.0.0 255.255.0.0 172.16.51.0 255.255.255.192
access-list inside_nat0_outside extended permit ip 10.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outside extended permit ip 10.1.2.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outside extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outside extended permit ip 10.68.150.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outside extended permit ip 192.168.252.0 255.255.255.240 10.1.10.0 255.255.255.0
...
ip local pool vpnclient 10.1.10.10-10.1.10.50
...
global (dsl1) 1 63.226.226.140 netmask 255.255.255.248
nat (secure_lan) 0 access-list inside_nat0_outside
nat (secure_lan) 1 0.0.0.0 0.0.0.0
access-group dsl1_to_lan in interface dsl1
route dsl1 0.0.0.0 0.0.0.0 63.226.226.142 1
route secure_lan 192.168.252.0 255.255.255.0 10.1.2.1 1
route secure_lan 10.68.150.0 255.255.255.0 10.1.2.1 1
route secure_lan 10.1.4.0 255.255.255.0 10.1.2.1 1
route secure_lan 10.1.3.0 255.255.255.0 10.1.2.1 1
route secure_lan 10.1.1.0 255.255.255.0 10.1.2.1 1
...
aaa-server vpn protocol radius
aaa-server vpn (secure_lan) host 10.1.1.11
key *
group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 10.1.1.11
wins-server value 10.1.1.11
vpn-tunnel-protocol IPSec 
default-domain value gw
webvpn
...
http server enable
http 10.1.1.0 255.255.255.0 secure_lan
http 10.1.10.0 255.255.255.0 secure_lan
...
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set VPN-SET
crypto dynamic-map dynmap 10 set reverse-route
crypto map vietnam_map 20 match address ballard_to_vietnam
crypto map vietnam_map 20 set peer *****
crypto map vietnam_map 20 set transform-set ESP-3DES-MD5
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface dsl1
isakmp enable dsl1
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 222.255.70.60 type ipsec-l2l
tunnel-group 222.255.70.60 ipsec-attributes
pre-shared-key *
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool vpnclient
authentication-server-group vpn
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
...
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect pptp
!
service-policy global_policy global

I am able to get everywhere, just no DNS. Any help would be appreciated. Thanks

This email may contain material that is confidential, privileged, and/or attorney work product for the sole use of the intended recipient.  Any review, reliance, or distribution by others or forwarding without express permission is strictly prohibited.  If you are not the intended recipient, please contact the sender and delete all copies.


More information about the cisco-nsp mailing list