CISCO VPN NO DNS

New user inherited CISCO PIX525 I only know GUI
VPN set up 2 ways have 4- persistant connections (point to point - preshared keys)
VPN clients for sales people who connect from internet connections i.e. hotel rooms, Kinko etc

VPN connects fine but DNS does not work, am able to use IP addresses of servers to get to them but would like to not have to go hosts file route as we are constantly adding new equipment as we grow.
Using CISCO Client 4.7
I read another thread where adding isakmp nat-traversal solved a similar issur.  i have my confiuration in a text file and do not find this line.
How would I get this into the congig using the GUI

Thanks
wsfancherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
I don't think this is a NAT traversal issue, since if it were, you would most likely not be able to even get to the servers via IP address.  Please post your running configuration (sanitized with public IP's stripped out) and we'll take a look.
0
batry_boyCommented:
The version of PDM you are using is so old that I don't have it loaded on any PIX'es that I have access to, but below is a screenshot of where the setting is found under the 3.0(4) version...it may be in a similar place, but there is no guarantee!  :)

pdm3-nat-traversal.png
0
wsfancherAuthor Commented:
In myold PDM the option you show does not exist.

I will get the config together and send to you.  I will be back here at 07:30 EST
cleanCopy-of-pix515.txt
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

batry_boyCommented:
Your version of the PIX code doesn't support that command.  So, we can either look for an alternative solution or you can upgrade the code on the PIX and implement the NAT traversal to see if that fixes your issue.

After looking at your existing configuration, I see a couple of things.

First, which vpngroup are you using, RLA or ABC?  If you are using RLA, then I don't see where you are assigning a DNS server to your VPN clients.  If you are using ABC, then what IP addresses are being received by the VPN clients since I don't see a corresponding "vpngroup ABC address-pool <poolname>" command.  You should add the command:

vpngroup ABC address-pool VPN

When you establish a VPN session and issue the "ipconfig /all" command from the Windows command prompt, what DNS server are you getting on the client?

The second thing that I see is that your NAT exemption ACL exempts traffic for only a portion of the VPN pool that is defined.

access-list inside_outbound_nat0_acl permit ip 10.200.200.0 255.255.255.0 10.200.215.0 255.255.255.224
ip local pool VPN 10.200.215.1-10.200.215.36

The NAT exemption only covers traffic going back to 10.200.215.1-10.200.215.31 since the netmask referenced in the ACL is 255.255.255.224.  Either the VPN pool needs to be scaled back to 10.200.215.1-10.200.215.31, or the netmask in the ACL needs to be modified to include the entire VPN pool.  This can be done by changing the netmask to 255.255.255.192.
0
wsfancherAuthor Commented:
ABC and RLA are the same, there is only one group  I missed changing some RLA to ABC as I went through the file.  I will see about changing the ACL to reflect the larger pool.

When IPconfig /all on an attached client  DNS server does show 10.200.200.200 correctly WINS also at 10.200.200.200 BUT resolution does not happen. If however, one attaches to a server in the group say 10.200.200.250\public, in a few moments all resolution works.  For some reason IP mask on VPN will show as 10.0.0.0 during IPconfig  Very wierd
0
wsfancherAuthor Commented:
I forgot to mention, I would love to upgrade PMD and PIX software but CISCO no longer supports the 515 so I cannot but service and get access to later software.  All I could do would be to buy a new firewall which I think I will have to do as my bandwidth is higher than the 515 I used to have can habndle.  I have the config you are viewwing on a borrowed 525 at the moment.
0
batry_boyCommented:
The mask reads 10.0.0.0???  Very strange...haven't seen that one.  Until you have the ability to get later code, you will be fighting issues and bugs a lot, I'm afraid...I'll take another look at the config in light of your comments and see if I can see something else...I'll post back later.
0
wsfancherAuthor Commented:
Thanks
0
wsfancherAuthor Commented:
Really mean to say 255.0.0.0  not 10.0.0.0 for mask
0
batry_boyCommented:
>>Really mean to say 255.0.0.0  not 10.0.0.0 for mask

OK, that makes more sense.  

That netmask you are getting from the PIX must be because it is assigning a classful mask.  In other words, 10.x.x.x is a class A subnet and an 8 bit mask would be a classful mask for that subnet.  I looked up the command in the 6.2 reference guide and it doesn't look like it supports specifying the netmask on the end of the line like it does in the 6.3 code...bummer.  I think you may be having a problem because your DNS server is 10.200.200.200, but because your mask is 10.0.0.0, it thinks that 10.200.200.200 is on the same subnet along with 10.200.215.x, so there may be some traffic routing issues here.

Since you're running that old code that won't let you specify a 24 bit mask for a 10.x.x.x VPN pool, my suggestion is to try creating a new VPN pool, say something that is in the class C range like 192.168.215.0/24.  Then modify you're vpngroup command to use this pool, and modify the NAT 0 ACL to exempt return traffic back to this subnet and see if you get any better results.  Here are the commands to do this:

ip local pool VPN2 192.168.215.1-192.168.215.36
no vpngroup ABC address-pool VPN
vpngroup ABC address-pool VPN2
access-list inside_outbound_nat0_acl permit ip 10.200.200.0 255.255.255.0 192.168.215.0 255.255.255.192
access-list DMZ_outbound_nat0_acl permit ip 10.100.0.0 255.255.255.0 192.168.215.0 255.255.255.224

Just make sure you pick a class C that is not already in use on your internal network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wsfancherAuthor Commented:
I'll try this first thing in the morning and let you know
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.