Iamagrump
asked on
Can't ping DNS names through a PIX 506E VPN
HELP!!!!!
I have just sent up a simple VPN through a PIX 506E and I am able to connect and ping by IP but not by DNS names, which I need to be able to do for the exchange server and an access database.... HELP!!!!!
Thanks
Elizabeth
I have just sent up a simple VPN through a PIX 506E and I am able to connect and ping by IP but not by DNS names, which I need to be able to do for the exchange server and an access database.... HELP!!!!!
Thanks
Elizabeth
ASKER
Alan,
The DNS is pointed to the internal DNS server through the PIX VPN setup. I can ping by IP and when I try to ping the FQDN it comes back with the external IP of the mail server but still wont ping.
Elizabeth
The DNS is pointed to the internal DNS server through the PIX VPN setup. I can ping by IP and when I try to ping the FQDN it comes back with the external IP of the mail server but still wont ping.
Elizabeth
Hi,
The DNS should be resolving to the internal mail server address. I suspect that either your internal DNS is handing out the external mail address or your PC is asking an external DNS server.
It is also possible that the external address has been cached on the PC. If so, or if not sure, do an IPCONFIG /FLUSHDNS from a command prompt and try the ping again.
Alan
The DNS should be resolving to the internal mail server address. I suspect that either your internal DNS is handing out the external mail address or your PC is asking an external DNS server.
It is also possible that the external address has been cached on the PC. If so, or if not sure, do an IPCONFIG /FLUSHDNS from a command prompt and try the ping again.
Alan
ASKER
I did a dnsflush just to check. Doing the ipconfig /all when reading the VPN connector shows the internal DNS server. I think there is a configuration issue with the PIX and VPN setup. Someone suggested doing an IP helper-address command but I don't think the PIX 506E supports that.
Thanks
E
Thanks
E
when you do an ipconfig /all, where is the physical connector's DNS pointing?
ASKER
My wireless is pointing to the DNS servers of my ISP.
Post a sanitized configuration of your PIX ?
Cheers,
Rajesh
Cheers,
Rajesh
Betcha a nickle it will work if change the primary dns setting on your wireless connector to your internal DNS server it will fix it. but leave the secondary to an external DNS server for when the vpn is not connected....
Yes it would, that is exactly what happens when you provide a dns server through vpn configuration.
Always the internal dns server should be queried for and if it fails only then the external dns, when you are connected through VPN. But if we were to hardcode that, the author has to do that for all of the vpn users.
So there is a problem lying in the vpn configuration probably, if we find that out, it should solve all the problems.
Cheers,
Rajesh
Always the internal dns server should be queried for and if it fails only then the external dns, when you are connected through VPN. But if we were to hardcode that, the author has to do that for all of the vpn users.
So there is a problem lying in the vpn configuration probably, if we find that out, it should solve all the problems.
Cheers,
Rajesh
ASKER
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mo42DDJaOb4c0.th encrypted
passwd Hhaverford2006!! encrypted
hostname HaverfordPix
domain-name ehaverford.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.160 Sales_Profiler
name 192.168.1.111 Exchange
name 192.168.1.104 Hhfile1
name 192.168.1.150 Newstar
name 209.171.43.27 Hacker
name 192.168.1.254 Router
name 216.36.122.94 router
object-group service GroupChatServicesTCP tcp
port-object eq 5100
port-object eq aol
port-object range 5000 5001
port-object eq 5050
port-object eq 1863
port-object eq irc
port-object range 6665 6669
object-group service GroupMailandWeb tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq smtp
port-object eq imap4
object-group service GroupMailOnly tcp
port-object eq pop3
port-object eq smtp
port-object eq imap4
port-object eq 993
object-group service GroupWebOnly tcp
port-object eq www
port-object eq https
object-group service FullExchangeTCP tcp
port-object range 3397 3399
port-object range 1071 1072
port-object range 135 netbios-ssn
object-group service Games tcp
port-object range 28800 29000
port-object eq 11999
object-group service RealWan tcp
port-object eq telnet
port-object eq ssh
port-object eq ftp-data
port-object eq sqlnet
port-object eq domain
port-object eq whois
port-object eq ftp
object-group service SQL tcp
port-object eq 1433
object-group service StreaminVideoTCP tcp
port-object eq 7070
port-object eq 18888
port-object eq 1755
port-object eq 554
port-object eq 7000
object-group service TerminalServices tcp
port-object eq 3389
object-group service VNCandRadmin tcp
port-object eq 3389
port-object eq 4899
object-group service WebOnly tcp
port-object eq www
port-object eq https
object-group service OutboundTCP tcp
group-object WebOnly
group-object RealWan
group-object GroupChatServicesTCP
group-object TerminalServices
group-object VNCandRadmin
group-object Games
group-object SQL
group-object StreaminVideoTCP
group-object GroupMailOnly
port-object eq 3101
object-group service AllowableOutboundUDPServic es udp
port-object eq tftp
port-object eq domain
port-object eq 1604
port-object eq ntp
object-group service ChatServicesUDP udp
port-object range 5000 5010
port-object range 5190 5193
port-object eq 4000
object-group service FullExchangeUDP udp
port-object range 135 139
object-group service GamesUDP udp
port-object range 28800 29000
port-object eq 39123
object-group service StreaminVideoUDP udp
description 6970
port-object range 6970 7170
port-object eq 1755
port-object eq 1558
object-group service UDPOutbound udp
group-object ChatServicesUDP
group-object StreaminVideoUDP
group-object GamesUDP
port-object eq tftp
port-object eq ntp
object-group network VNCServers
network-object 192.168.1.150 255.255.255.255
network-object 192.168.1.160 255.255.255.255
object-group network TerminalServers
network-object 192.168.1.150 255.255.255.255
network-object 192.168.1.160 255.255.255.255
network-object 192.168.1.104 255.255.255.255
object-group network MailServers
network-object 192.168.1.111 255.255.255.255
access-list inside_access_in permit icmp any any
access-list inside_access_in deny tcp any host 209.171.43.27
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit tcp any any
access-list inside_access_in permit tcp any any object-group WebOnly
access-list inside_access_in permit tcp any object-group OutboundTCP any
access-list inside_access_in permit udp any object-group UDPOutbound any
access-list inside_access_in deny ip any any
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq www
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq https
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq imap4
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq pop3
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx object-group Grou
pMailandWeb
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq 3389
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq 3391
access-list capture permit udp any any eq domain
access-list outbound permit ip any any
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn3000 permit icmp any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 10
icmp permit any outside
mtu outside 1500
mtu inside 1250
ip address outside xx.xx.xxx.xxx 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 172.16.1.1-172.16.1.254
pdm location 192.168.1.104 255.255.255.255 inside
pdm location 192.168.1.111 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.160 255.255.255.255 inside
pdm location 209.171.43.27 255.255.255.255 outside
pdm location 192.168.1.254 255.255.255.255 inside
pdm location xxx.xx.xxx.xxx 255.255.255.255 outside
pdm location xx.xx.xxx.xxx 255.255.255.255 outside
pdm group VNCServers inside
pdm group TerminalServers inside
pdm group MailServers inside
pdm logging informational 100
pdm history enable
arp timeout 300
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.111 69.33.22.195 255.255.255.255
alias (inside) 192.168.1.104 69.33.22.196 255.255.255.255
alias (inside) 192.168.1.150 69.33.22.197 255.255.255.255
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.104 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.150 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map outside_map 30 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool1
vpngroup vpn3000 dns-server 192.168.1.104
vpngroup vpn3000 wins-server 192.168.1.104
vpngroup vpn3000 default-domain ehaverford.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.104 255.255.255.255 inside
telnet 192.168.1.111 255.255.255.255 inside
telnet 192.168.1.150 255.255.255.255 inside
telnet 192.168.1.160 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.50-192.168.1.100 inside
dhcpd dns 192.168.1.104 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ehaverford.com
dhcpd enable inside
username haverford_admin password hWTFwju0HYZfa.ox encrypted privilege 15
username HaverfordVPN password vkED6dK2G3A.b5p1 encrypted privilege 2
username msimone password SCQdC/o9XmwTgntq encrypted privilege 15
terminal width 80
Thanks for all the HELP!!!!
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mo42DDJaOb4c0.th encrypted
passwd Hhaverford2006!! encrypted
hostname HaverfordPix
domain-name ehaverford.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.160 Sales_Profiler
name 192.168.1.111 Exchange
name 192.168.1.104 Hhfile1
name 192.168.1.150 Newstar
name 209.171.43.27 Hacker
name 192.168.1.254 Router
name 216.36.122.94 router
object-group service GroupChatServicesTCP tcp
port-object eq 5100
port-object eq aol
port-object range 5000 5001
port-object eq 5050
port-object eq 1863
port-object eq irc
port-object range 6665 6669
object-group service GroupMailandWeb tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq smtp
port-object eq imap4
object-group service GroupMailOnly tcp
port-object eq pop3
port-object eq smtp
port-object eq imap4
port-object eq 993
object-group service GroupWebOnly tcp
port-object eq www
port-object eq https
object-group service FullExchangeTCP tcp
port-object range 3397 3399
port-object range 1071 1072
port-object range 135 netbios-ssn
object-group service Games tcp
port-object range 28800 29000
port-object eq 11999
object-group service RealWan tcp
port-object eq telnet
port-object eq ssh
port-object eq ftp-data
port-object eq sqlnet
port-object eq domain
port-object eq whois
port-object eq ftp
object-group service SQL tcp
port-object eq 1433
object-group service StreaminVideoTCP tcp
port-object eq 7070
port-object eq 18888
port-object eq 1755
port-object eq 554
port-object eq 7000
object-group service TerminalServices tcp
port-object eq 3389
object-group service VNCandRadmin tcp
port-object eq 3389
port-object eq 4899
object-group service WebOnly tcp
port-object eq www
port-object eq https
object-group service OutboundTCP tcp
group-object WebOnly
group-object RealWan
group-object GroupChatServicesTCP
group-object TerminalServices
group-object VNCandRadmin
group-object Games
group-object SQL
group-object StreaminVideoTCP
group-object GroupMailOnly
port-object eq 3101
object-group service AllowableOutboundUDPServic
port-object eq tftp
port-object eq domain
port-object eq 1604
port-object eq ntp
object-group service ChatServicesUDP udp
port-object range 5000 5010
port-object range 5190 5193
port-object eq 4000
object-group service FullExchangeUDP udp
port-object range 135 139
object-group service GamesUDP udp
port-object range 28800 29000
port-object eq 39123
object-group service StreaminVideoUDP udp
description 6970
port-object range 6970 7170
port-object eq 1755
port-object eq 1558
object-group service UDPOutbound udp
group-object ChatServicesUDP
group-object StreaminVideoUDP
group-object GamesUDP
port-object eq tftp
port-object eq ntp
object-group network VNCServers
network-object 192.168.1.150 255.255.255.255
network-object 192.168.1.160 255.255.255.255
object-group network TerminalServers
network-object 192.168.1.150 255.255.255.255
network-object 192.168.1.160 255.255.255.255
network-object 192.168.1.104 255.255.255.255
object-group network MailServers
network-object 192.168.1.111 255.255.255.255
access-list inside_access_in permit icmp any any
access-list inside_access_in deny tcp any host 209.171.43.27
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit tcp any any
access-list inside_access_in permit tcp any any object-group WebOnly
access-list inside_access_in permit tcp any object-group OutboundTCP any
access-list inside_access_in permit udp any object-group UDPOutbound any
access-list inside_access_in deny ip any any
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq www
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq https
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq imap4
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq pop3
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx object-group Grou
pMailandWeb
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq 3389
access-list outside_access_in permit tcp any host xx.xx.xxx.xxx eq 3391
access-list capture permit udp any any eq domain
access-list outbound permit ip any any
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn3000 permit icmp any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 10
icmp permit any outside
mtu outside 1500
mtu inside 1250
ip address outside xx.xx.xxx.xxx 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 172.16.1.1-172.16.1.254
pdm location 192.168.1.104 255.255.255.255 inside
pdm location 192.168.1.111 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.160 255.255.255.255 inside
pdm location 209.171.43.27 255.255.255.255 outside
pdm location 192.168.1.254 255.255.255.255 inside
pdm location xxx.xx.xxx.xxx 255.255.255.255 outside
pdm location xx.xx.xxx.xxx 255.255.255.255 outside
pdm group VNCServers inside
pdm group TerminalServers inside
pdm group MailServers inside
pdm logging informational 100
pdm history enable
arp timeout 300
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.111 69.33.22.195 255.255.255.255
alias (inside) 192.168.1.104 69.33.22.196 255.255.255.255
alias (inside) 192.168.1.150 69.33.22.197 255.255.255.255
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.104 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xxx 192.168.1.150 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map outside_map 30 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool1
vpngroup vpn3000 dns-server 192.168.1.104
vpngroup vpn3000 wins-server 192.168.1.104
vpngroup vpn3000 default-domain ehaverford.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.104 255.255.255.255 inside
telnet 192.168.1.111 255.255.255.255 inside
telnet 192.168.1.150 255.255.255.255 inside
telnet 192.168.1.160 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.50-192.168.1.100
dhcpd dns 192.168.1.104 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ehaverford.com
dhcpd enable inside
username haverford_admin password hWTFwju0HYZfa.ox encrypted privilege 15
username HaverfordVPN password vkED6dK2G3A.b5p1 encrypted privilege 2
username msimone password SCQdC/o9XmwTgntq encrypted privilege 15
terminal width 80
Thanks for all the HELP!!!!
Also when you're connected to the vpn, from the client machine paste these;
ipconfig/all
route print
This would give a clear picture on what exactly is vpn delivering.
Cheers,
Rajesh
ipconfig/all
route print
This would give a clear picture on what exactly is vpn delivering.
Cheers,
Rajesh
>>access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
you don't need that line; so do this;
no access-list 101
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
Then create an identical access-list like above for nat 0, don't use the same access-list.
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
>>nat (inside) 0 access-list 101
change the above to;
nat (inside) 0 access-list nonat
Cheers,
Rajesh
you don't need that line; so do this;
no access-list 101
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
Then create an identical access-list like above for nat 0, don't use the same access-list.
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
>>nat (inside) 0 access-list 101
change the above to;
nat (inside) 0 access-list nonat
Cheers,
Rajesh
ASKER
Hi, these are the results after I made the changes you suggested. Though when I went to create this line >>access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0>>> it wouldn't because it said it was a duplicate.. Thanks for all the HELP!!!!
Ethernet adapter Wireless Network Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1470 Dual Band WLAN Mini-PCI Card
Physical Address. . . . . . . . . : 00-14-A5-80-1C-6C
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 68.87.73.242
68.87.71.226
Lease Obtained. . . . . . . . . . : Thursday, November 09, 2006 7:15:34 AM
Lease Expires . . . . . . . . . . : Friday, November 10, 2006 7:15:34 AM
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ehaverford.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.104
Primary WINS Server . . . . . . . : 192.168.1.104
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x10004 ...00 14 a5 80 1c 6c ...... Dell Wireless 1470 Dual Band WLAN Mini-PCI Card - Packet Scheduler Miniport
0x20002 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
69.33.22.194 255.255.255.255 192.168.1.1 192.168.1.101 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.1.3 172.16.1.3 10
172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.1.3 172.16.1.3 10
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1
192.168.1.1 255.255.255.255 192.168.1.101 192.168.1.101 1
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
224.0.0.0 240.0.0.0 172.16.1.3 172.16.1.3 10
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 172.16.1.3 172.16.1.3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
Ethernet adapter Wireless Network Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1470 Dual Band WLAN Mini-PCI Card
Physical Address. . . . . . . . . : 00-14-A5-80-1C-6C
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 68.87.73.242
68.87.71.226
Lease Obtained. . . . . . . . . . : Thursday, November 09, 2006 7:15:34 AM
Lease Expires . . . . . . . . . . : Friday, November 10, 2006 7:15:34 AM
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ehaverford.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.104
Primary WINS Server . . . . . . . : 192.168.1.104
==========================
Interface List
0x1 ..........................
0x10004 ...00 14 a5 80 1c 6c ...... Dell Wireless 1470 Dual Band WLAN Mini-PCI Card - Packet Scheduler Miniport
0x20002 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
69.33.22.194 255.255.255.255 192.168.1.1 192.168.1.101 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.1.3 172.16.1.3 10
172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.1.3 172.16.1.3 10
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1
192.168.1.1 255.255.255.255 192.168.1.101 192.168.1.101 1
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
224.0.0.0 240.0.0.0 172.16.1.3 172.16.1.3 10
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 172.16.1.3 172.16.1.3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
Check the binding order on your machine. Post what order your adapters are listed. If remote access connections is listed on top then move it down and look at this article: http://support.microsoft.com/kb/311218
How to change the binding order of network adapters
1. Click Start, click Run, type ncpa.cpl , and then click OK.
You can see the available connections in the LAN and High-Speed Internet section of the Network Connections window.
2. On the Advanced menu, click Advanced Settings, and then click the Adapters and Bindings tab.
3. In the Connections area, select the connection that you want to move higher in the list. Use the arrow buttons to move the connection.
How to change the binding order of network adapters
1. Click Start, click Run, type ncpa.cpl , and then click OK.
You can see the available connections in the LAN and High-Speed Internet section of the Network Connections window.
2. On the Advanced menu, click Advanced Settings, and then click the Adapters and Bindings tab.
3. In the Connections area, select the connection that you want to move higher in the list. Use the arrow buttons to move the connection.
Ok, so you have the nonat access-list already. So I would assume that you have made these changes as well ?
nat (inside) 0 access-list nonat
now, on the client machine, do this;
nslookup yahoo.com and post it here.
Cheers,
Rajesh
nat (inside) 0 access-list nonat
now, on the client machine, do this;
nslookup yahoo.com and post it here.
Cheers,
Rajesh
ASKER
Hi, here is the result of the nslookup for yahoo.com
Server: hhfile1.ehaverford.com
Address: 192.168.1.104
DNS request timed out.
timeout was 2 seconds.
Server: hhfile1.ehaverford.com
Address: 192.168.1.104
DNS request timed out.
timeout was 2 seconds.
Other than the changes I asked to make your pix configuration looks okay to me. But on your VPN virtual adaptor I don't see the ip address as the default gateway. Typicall it should be like this;
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ehaverford.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.0.0
>>>> Default Gateway . . . . . . . . . : 172.16.1.3
DNS Servers . . . . . . . . . . . : 192.168.1.104
Primary WINS Server . . . . . . . : 192.168.1.104
So is this the only machine that is having problems with ? Or if this is the *only* machine you're trying with? Would it be possible to try with another client machine? If not then I would suggest you to do this;
1. Uninstall Cisco VPN Client
2. At the command prompt run these;
netsh int ip reset reset.log
netsh winsock reset
3. Reboot the machine.
4. Install the latest vpn client available (4.8)
and then see if it makes any difference.
Cheers,
Rajesh
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ehaverford.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.0.0
>>>> Default Gateway . . . . . . . . . : 172.16.1.3
DNS Servers . . . . . . . . . . . : 192.168.1.104
Primary WINS Server . . . . . . . : 192.168.1.104
So is this the only machine that is having problems with ? Or if this is the *only* machine you're trying with? Would it be possible to try with another client machine? If not then I would suggest you to do this;
1. Uninstall Cisco VPN Client
2. At the command prompt run these;
netsh int ip reset reset.log
netsh winsock reset
3. Reboot the machine.
4. Install the latest vpn client available (4.8)
and then see if it makes any difference.
Cheers,
Rajesh
ASKER
THanks for the suggestion.... but I have tried it with 2 other machines and one is running the newest client version available and still the same issue.
If you have a computer named computer1 and you can't ping it, but you can ping it by FQDN (computer1.mynetwork.com) then add mynetwork.com to your DNS suffixes and this should resolve the issue.
Go to your network adapter - properties - highlight tcp/ip - properties - advanced - DNS tab - Select "Append these DNS suffixes (in order) - Click add - add your domain name(s) (mynetwork.com) - Save changes
Go to your network adapter - properties - highlight tcp/ip - properties - advanced - DNS tab - Select "Append these DNS suffixes (in order) - Click add - add your domain name(s) (mynetwork.com) - Save changes
I noticed your connecting by way of VPN. If the above solution I posted does not work check your binding order and put Local Area Connection 2 on top to see if that fixes it. If it does then your computer was using the wrong DNS server b/c of your binding order.
ASKER
I can't ping any DNS names I can only ping by IP.
Still try the binding order thing I posted.
Did you open port 53 TCP and UDP for DNS?
ASKER
Would that show in my router config? and if not how do you do that..
I believe the command is
>fixup protocol dns 53
>fixup protocol dns 53
from
pixfirewall(config)#
pixfirewall(config)#
ASKER
When I try that command I get this error
>>HaverfordPix(config)# fixup protocol dns 53
Usage: [no] fixup protocol dns [maximum-length <length>]
>>HaverfordPix(config)# fixup protocol dns 53
Usage: [no] fixup protocol dns [maximum-length <length>]
Ah, I think I might have found an answer online: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/intro.htm
Try
fixup protocol domain 53
Try
fixup protocol domain 53
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks I will try that, though I don't think I have a support contract with them.
ASKER
OK, for the time being if I set the DNS to the internal DNS server on the wireless, how will that afffect the internet when it usually is set dymantically through a router with the ISP?
Betcha a nickle it will work if change the primary dns setting on your wireless connector to your internal DNS server it will fix it. but leave the secondary to an external DNS server for when the vpn is not connected....
Betcha a nickle it will work if change the primary dns setting on your wireless connector to your internal DNS server it will fix it. but leave the secondary to an external DNS server for when the vpn is not connected....
You can have your users statically configure their dns servers on their adaptors as mentioned by Saw830. Keep the internal as primary and keep the ISP's as secondary. But the bad part is that every user will have to be doing this.
This shouldn't be happening infact. This is the second incident with PIX 506E I believe in this forum itself about DNS. There is something wrong with this. Configuration wise, I had even checked line by line on what I used to have in my PIX.
If you don't have a support contract, Cisco won't support it. I guess you need to talk to them anyways, also search the bug database if possible (I haven't been doing that for almost an year now so I wouldn't know)
Cheers,
Rajesh
This shouldn't be happening infact. This is the second incident with PIX 506E I believe in this forum itself about DNS. There is something wrong with this. Configuration wise, I had even checked line by line on what I used to have in my PIX.
If you don't have a support contract, Cisco won't support it. I guess you need to talk to them anyways, also search the bug database if possible (I haven't been doing that for almost an year now so I wouldn't know)
Cheers,
Rajesh
ASKER
Rajesh,
Thanks I will check the bug database. I have tired putting in the the IP address of the internal DNS and external and still no luck.
Thanks I will check the bug database. I have tired putting in the the IP address of the internal DNS and external and still no luck.
ASKER
Whats strange about this whole thing is, there is no gatway listed for the VPN. Also, I still can't ping DNS names even when putting in the DNS server IP.
What is the OS version ? If XP, I wouldn't load anything less than 4.8
Can you do the sequence as I asked some posts back just to see if there is any problem ?
1.Uninstall Cisco VPN Client
2. At the command prompt run these;
netsh int ip reset reset.log
netsh winsock reset
3. Reboot the machine.
4. Install the latest vpn client available (4.8)
Also along with that, is this a production pix right now ? If so, would it be possible to get a 5 minute window to restart the firewall ? Try that, so many time that have fixed problems.
Cheers,
Rajesh
Can you do the sequence as I asked some posts back just to see if there is any problem ?
1.Uninstall Cisco VPN Client
2. At the command prompt run these;
netsh int ip reset reset.log
netsh winsock reset
3. Reboot the machine.
4. Install the latest vpn client available (4.8)
Also along with that, is this a production pix right now ? If so, would it be possible to get a 5 minute window to restart the firewall ? Try that, so many time that have fixed problems.
Cheers,
Rajesh
ASKER
where can I get the latest version of VPN? When I go to the cisco site I am only a visitor and was not able to download it.
Yeah, unfortunately you can't get it from there since you need to have a Cisco Service Contract.
Cheers,
Rajesh
Cheers,
Rajesh
how is your DNS setup on the remote PC? it needs to have it's DNS settings pointing to you internal DNS servers so that it can resolve the names of things into addresses. Normally, in such situations, I set the primary DNS server to be my internal DNS server and the secondary DNS to be whatever internet based or external DNS server. The idea is to have your remote PC always use your internal (active directory integrated if you have it) DNS server if it can reach it, and fall back to a vanilla internet based DNS server when it can't reach the internal server.
Hope this helps,
Alan