Solved

Cisco 5510 asa vpn ias dns - Can't find server name for address

Posted on 2008-10-01
9
1,574 Views
Last Modified: 2012-08-13
Using a Cisco 5510 asa for remote vpn using ias authentication and we are having a problem using local dns. When doing a nslookup we receive the Error "*** Can't find server name for address 10.10.2.31"
The vpn connection works using ias (which is running on 10.10.2.31 server). Able to ping and rdp to all internal networks including the domain server running dns 10.10.2.31

ASA Version 7.1(2)
!
hostname xxxvnp
domain-name xxx.local
enable password xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 nameif Inside
 security-level 1
 ip address 10.10.2.7 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
 management-only
!
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 retries 3
 timeout 3
 name-server 10.10.2.31
 name-server 10.10.2.32
 domain-name xxx.local
same-security-traffic permit inter-interface
access-list Inside_nat0_outbound extended permit ip any 10.10.6.0 255.255.255.0
access-list staff standard permit 10.10.2.0 255.255.255.0
access-list staff standard permit 10.10.16.0 255.255.255.0
access-list staff standard permit 10.10.17.0 255.255.255.0
access-list staff standard permit 10.10.100.0 255.255.255.0
access-list staff standard permit 10.10.6.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpnpool 10.10.6.2-10.10.6.254 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list Inside_nat0_outbound
route Outside 0.0.0.0 0.0.0.0 209.29.10.217 1
route Inside 0.0.0.0 0.0.0.0 10.10.2.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnauth protocol radius
aaa-server vpnauth host 10.10.2.31
 timeout 30
 key xxxxxx
 radius-common-pw xxxxxx
 acl-netmask-convert auto-detect
group-policy Group internal
group-policy Group attributes
 wins-server value 10.10.2.31
 dns-server value 10.10.2.31 10.10.2.32
 password-storage enable
 group-lock value Group
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value staff
 default-domain value xxx.local
username xxxadmin password xxxxxxxxxx encrypted privilege 15
username xxxadmin attributes
 vpn-group-policy Group
username user password xxxxxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.2.106 255.255.255.255 Inside
http 10.10.16.10 255.255.255.255 Inside
http 10.10.2.31 255.255.255.255 Inside
http 10.10.16.50 255.255.255.255 Inside
snmp-server host Inside 10.10.2.106 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Group type ipsec-ra
tunnel-group Group general-attributes
 address-pool (Inside) vpnpool
 address-pool vpnpool
 authentication-server-group vpnauth LOCAL
 authentication-server-group (Inside) vpnauth
 default-group-policy Group
 authorization-required
tunnel-group Group ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet 10.10.2.31 255.255.255.255 Inside
telnet 10.10.2.106 255.255.255.255 Inside
telnet 10.10.16.50 255.255.255.255 Inside
telnet 10.10.16.10 255.255.255.255 Inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:0aeba0a94045330927180ea76f3b37e0
: end
0
Comment
Question by:MIDAC
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22621215
>Can't find server name for address 10.10.2.31"
This is usually simply because there is no PTR record for the dns server itself.

i'm assuming that you can actually ping that IP address from a client?
0
 

Author Comment

by:MIDAC
ID: 22630446
Forward and reverse records are configured for IP Address 10.10.2.31 Also, this server is the Domain Controller, DNS and running the IAS used for vpn authentication. We are able to ping, rdp and map drives. Just can't do a nslookup against the server.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22630678
> inspect dns maximum-length 512
Try increasing the max-length on your dns inspect, or disable the dns inspect completely
0
 

Author Comment

by:MIDAC
ID: 22633198
Removed "inspect dns maximum-length 512" and still getting the same result:

C:\Documents and Settings\testuser>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 10.10.2.31: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 10.10.2.32: Timed out
Server:  dns.rnc.net.cable.rogers.com
Address:  64.71.255.198

Non-authoritative answer:
Name:    google.com
Addresses:  64.233.187.99, 209.85.171.99, 72.14.207.99
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 22633657
That was a shot in the dark anyway.
Just for a test try adding entries for those two servers in the local hosts file
This is a first for me. I've never seen this particular problem.

Although... ASA Version 7.1(2)
Very buggy version. Highly recommend upgrading to 8.0(4)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635295
That's odd... Usually a 512 length DNS filter is fine.
Can you please confirm that you can run nslookup in the local LAN? If you cannot then it is a problem with your DNS server, not the ASA.
And yes, do upgrade to ASA 8.0.4 / ASDM 6.13
 
0
 

Author Comment

by:MIDAC
ID: 22687958
Nslookup works fine on the LAN. I tried using IP pool 10.10.2.220-230 which is in the same internal port IP Address block (router Internal IP Address is 10.10.2.7) and it works. Nslookups of Internal forward and reverse dns addresses. I didnt think it was possible to use IP Addresses within the same IP Block as the Internal port, but gave it a shot anyway.

However, the customer does not wish to use IPs from this block. Remember everything works with the 10.10.6.0/24 except dns

I noticed something else. I can ping the vpn the client IP Address using the 10.10.2.220-230 IP Address pool, but I cannot with the 10.10.6.0/24 ones

Ive double checked the routing, but severything else works.. Also, I added the 10.10.6.0/24 to Site/Subnets and DNS/Reverse Lookup Zones thinking it may be a server issue of allowing dns lookups.

Since the 10.10.2.0/24 blocks works I dont think its a udp issue. Could there be something else on the server that needs to be configured?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22692986
> I noticed something else. I can ping the vpn the client IP Address using the 10.10.2.220-230 IP Address pool, but I cannot with the 10.10.6.0/24 ones
What do you mean exactly?
Also, one interesting question.... you do have an A record set up for 10.10.2.31, right?
0
 

Accepted Solution

by:
MIDAC earned 0 total points
ID: 22780807
It turned out to be a routing issue, even though we had set the fortigate firewall to allow any/any and all other communications ping/rdp worked fine.

On the dns servers 10.10.2.31 and 10.10.2.32 we added a static route to send all vpn IP Addresses back directly to the vpn router and reverse internal dns worked. We shouldn't have had to do that, but the customer was anxious to get it working.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now