Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Main site to remote site DNS problem via VPN tunnel

Posted on 2008-10-26
8
Medium Priority
?
657 Views
Last Modified: 2010-05-18
This weekend my Data Center was moved from one location to another.  The old location is now a branch office of the new location.  All the servers are at the main location, domain, dns, dhcp ect.  The only thing that remains at the branch location is a ASA firewall, switch and some thin clients.  A vpn tunnel was created between the ASA at the main and the ASA at the remote.  The remote site is getting DHCP addresses from the ASA and the main site is getting DHCP from the DHCP server.  The addresses are not the same.
Ideally, I want both sites to get all of the DHCP and DNS information from the main site.  Is that possible and if so how?
If that isnt possible can I configure my DNS servers to resolve the hostnames from the branch sites ip addressing scheme?
We go live in the morning so help is much appreciated as soon as possible!
0
Comment
Question by:Jennifer1024
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 12

Expert Comment

by:hfraser
ID: 22809185
Are the thin client' servers also being hosted remotely? If so, the processing's being done remotely, and the actual address of the clients really doesn't matter. As such, you might as well leave the situation as is letting the local ASA firewall issue the addresses.

One thing to keep in mind, though, is the scope.  If you have many sites, remote sites confgured the same way, you'll want to ensure that each issues different addresses.

The main reason for leaving the address issued locally is to eliminate the need to allow broadcast traffic across the VPN (DHCP requests are a boradcast)
0
 

Author Comment

by:Jennifer1024
ID: 22809280
There isn't a server at the remote site.  Just a switch and the ASA.  Right not neither site can really talk to the other as the addresses are not being resolved.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 22809475
OK. So modify the DHCP server in the ASA firewall to point clients DNS to the main site and manage DNS stuff from there. I'd still leave the remote clients getting addresses from the local firewall.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 8

Assisted Solution

by:RGRodgers
RGRodgers earned 600 total points
ID: 22809509
This is complex.  But, to do what you say you want, you need to make sure that the firewall is allowing DNS and DHCP communication to pass.  This includes ports 53 (TCP & UDP) for DNS and 67 (UDP) and 68 (UDP) for DHCP.  Others may be required, depending upon your configuration.  Check a list such as
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

I also suggest that you use equipment within the remote site to serve DHCP addresses, at minimum.  And, then configure the DHCP server to provide the appropriate DNS server addresses to the client.  

Good luck.
0
 
LVL 8

Expert Comment

by:RGRodgers
ID: 22809525
This refereence can provide a lot of help if you can use it:
http://en.wikipedia.org/wiki/Dhcp
0
 

Author Comment

by:Jennifer1024
ID: 22809530
I modified the DHCP server on the remote ASA to point DNS queries to my DNS servers at the main.  I also set up DHCP relay to my DHCP servers.  So far I'm not seeing any difference and the ARP table on the remote ASA still shows old addresses.
0
 

Author Comment

by:Jennifer1024
ID: 22810946
Update:  I forged ahead with different IP addresses at the remote site.  Many of these clients are connecting through thin clients or can connect with RDP so that works fine.  They can connect to the TS at the main site without any issues.  However, I'm having a hard time printing from the TS server back to the remote sites printers.  The printers have new addresses as well and install fine on the server but no luck there either.
0
 
LVL 12

Accepted Solution

by:
hfraser earned 900 total points
ID: 22811117
Ahh. So there remote site doesn't just have the ASA firewall, a switch, and some thin clients. The printers have addresses that are important.

You have a couple of choices. You can reduce the address range assigned by the ASA DHCP server and assign one of the none-DHCP addresses available to the printers. Or you can reserve the addresses in the DHCP server, which ties an IP address to the MAC address of the printer NIC. The only caveat with this is that if the printer or its NIC is replaced, the reservation fails.

The address has to be in the local subnet to be visible to the servers through the tunnel.

In either case, make an entry in the DNS to reference the printer.
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question