Solved

DNS setup for Cisco VPDN

Posted on 2010-08-27
12
1,912 Views
Last Modified: 2012-05-10
I have setup the following VPDN on the Cisco router. The DNS point to my internal DNS server. When the VPN client was connected, and I could see the DNS is granted to these two internal server.

However, when I ping other internal server, it doesn't returned with the internal IP of the server. Somehow a public IP  209.68.xx was replied. Any idea what's wrong with my VPDN configuratoin ?

Thanks

!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 peer default ip address pool pool1
 ppp authentication pap chap L2TP-AUTH
 ppp authorization L2TP-AUTH
 ppp ipcp dns 192.168.150.37 192.168.150.32
0
Comment
Question by:AXISHK
12 Comments
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
>Somehow a public IP  209.68.xx was replied. Any idea what's wrong with my VPDN configuratoin ?
without looking at your entire configuration, I do not have a solid idea, but based on what you have mentioned, is that if you use 1:1 NAT for the 209.68.xx and internal IP that you are pinging, the IOS is executing a "DNS Rewrite", this is typical by design in most modern ASAs and IOS configs.

Billy

0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
you indicated this is a router (IOS) I presume. Do you have a statement like

ip name-server a.b.c.d

pointing at your internal name server?
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
It depends largely on client support.  On my L2TP and PPTP VPDNs, the Windows clients will receive the DNS setting using any of the following mechanisms:

Explicit async-bootp dns setting in global configuration
Explicit ppp ipcp dns setting under the virtual-template interface
No explicit ppp ipcp dns setting under the virtual-template interface (defaults to the async-bootp dns setting or the router's ip name-server setting in that order)

The Macintosh clients, on the other hand, won't pick up the DNS settings via *any* of these mechanisms, which is quite frustrating.

Do the IPCP-configured DNS servers show up in the client's name server list when you're connected?  If so, in what order?
0
 

Author Comment

by:AXISHK
Comment Utility
already put those related DNS statement in my configuratoin but it doesn't work. Under Window, " ipconfig/all " show that the DNS server has been binded to our internal DNS server. However, the host name ping reply is from a strange IP address "209.62.xx.yy", and in fact, the server could only be visited by IP rather than host name.

Although I have put the mpe auto, I could use it in my Window VPN setup. The VPN connection could only be built when I specify "Optional encryption (connect even if no encryption)". It doen't allow the connection if I select the default "Require encrytion". Does it mean there is no encryption for the VPN connection ?

Thanks again.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ABC-HKDC

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp L2TP-AUTH local

aaa authentication ppp l2tp-001 local

aaa authorization network L2TP-AUTH local

aaa authorization network l2tp-001 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-2609227240

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2609227240

 revocation-check none

 rsakeypair TP-self-signed-2609227240

!

!

crypto pki certificate chain TP-self-signed-2609227240

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32363039 32323732 3430301E 170D3130 30383136 30343032

  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303932

  32373234 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B69C CEDF2C9A C121C1F1 A63040A2 80C13732 690559A4 DE62DD69 F87C71FF

  8AA7DE2E E132C0AB 732389CF 022AEE53 3726C82C 847F7699 3AA5D5E5 1B028B1E

  54E99A5D 34D7E07E C2472E89 26F2168D 78736632 8988E36E 47D61263 ED586747

  60D36D10 C0637CF1 0BC6B86D 28A68526 5CD2CCDA BB8C94D6 AE6620F1 D4CD59C1

  D2F10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17555043 2D484B44 432E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 1407E486 76B48E82 1B5DEEE1 4E014B8A 0DE1AFC7

  30301D06 03551D0E 04160414 07E48676 B48E821B 5DEEE14E 014B8A0D E1AFC730

  300D0609 2A864886 F70D0101 04050003 81810072 4F60BC1E 35881E91 62547AB6

  597D6F88 83C18480 B9A8D9AC 2685C58D B64BD721 A960783E 4235450D 5BE85ADA

  D4C7364C E80EB768 E0E83E1B 5D6DF562 13ECDB7F A439774F AE7E6406 91625A88

  DC371EBF B71AF4C2 52703A3F CDC970EF 70CA4F4D 70EDDDFB 084D8804 2CA3C57E

  812ECA05 1EECCD46 2199D1AA 5B048DFD 7F4841

        quit

dot11 syslog

ip source-route

!

!

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

ip name-server 192.168.150.37

ip name-server 192.168.150.32

no ipv6 cef

!

multilink bundle-name authenticated

!

async-bootp dns-server 192.168.150.37 192.168.150.32

vpdn enable

vpdn multihop

vpdn domain-delimiter / prefix

!

vpdn-group vpdn--PPTP

 accept-dialin

  protocol pptp

  virtual-template 1

 source-ip 202.134.xxx.yyy

 local name vpdn

 lcp renegotiation on-mismatch

!

virtual-template 1 pre-clone 50

!

!

username upcadmin privilege 15 secret 5 $1$hxyr$8d/rybCDm 

!

!

!

archive

 log config

  hidekeys

!

!

!

class-map match-any class--D

 match any

class-map match-any class--B

 match access-group 2001

class-map match-any class--C

 match access-group 2002

class-map match-any class--A

 match access-group 2000

!

!

policy-map policy--define

 class class--A

    bandwidth percent 40

 class class--B

    bandwidth percent 30

 class class--C

    bandwidth percent 5

 class class-default

    fair-queue

     random-detect

policy-map policy--UPC

 class class--D

    shape average 1000000

  service-policy policy--define

!

!

!

!

interface Loopback0

 ip address 1.1.1.111 255.255.255.255

!

interface Tunnel2

 description to HK office

 ip address 1.1.1.5 255.255.255.252

 ip tcp adjust-mss 1452

 tunnel source 202.134.xxx.yyy

 tunnel destination 219.90.xxx.yyy

!

interface Tunnel3

 description to BJ

 ip address 1.1.1.9 255.255.255.252

 ip tcp adjust-mss 1400

 tunnel source 202.134.xxx.yyy

 tunnel destination 202.134.ccc.ddd

!

interface FastEthernet0

 ip address 192.168.150.3 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1

 ip unnumbered Loopback0

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1400

 peer default ip address pool pool1

 ppp encrypt mppe auto

 ppp authentication pap chap L2TP-AUTH

 ppp authorization L2TP-AUTH

 ppp ipcp dns 202.134.eee.fff

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

 ip address 202.134.xxx.yyy 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

!

interface Async1

 no ip address

 encapsulation slip

!

ip local pool pool1 192.168.150.200 192.168.150.240

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.134.mmm.nnnn

ip route 192.168.1.0 255.255.255.0 Tunnel2

ip route 192.168.7.0 255.255.255.0 Tunnel3

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 100 interface Vlan1 overload

ip nat inside source static 192.168.150.32 202.134.xxx.yy1 extendable

ip nat inside source static 192.168.150.39 202.134.xxx.yy2 extendable

ip nat inside source static 192.168.150.40 202.134.xxx.yy3 extendable

!

access-list 100 permit ip 192.168.150.0 0.0.0.255 any

no cdp run



!

!

!

!

!

snmp-server community private RW

snmp-server enable traps tty

snmp-server host 192.168.150.41 private

!

control-plane

!

!

line con 0

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

 privilege level 15

 transport input telnet ssh

!

end

Open in new window

0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Are there any other name servers in your "ipconfig /all" output besides the ones you have configured?  If so, are they listed before or after the ones configured on the router?

The "mppe auto" command only applies to PPTP connections and won't help with L2TP, which uses IPsec.  The following virtual template is what I use for PPTP connections:

interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool default
 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap xauth
 ppp authorization mppe
0
 

Author Comment

by:AXISHK
Comment Utility
So can I have data encryption with L2TP ? How to configure IPsec to ensure max. security ?

I have configured on my router and have the following warning message. How to get rid of these ?

HKDC(config-if)# ppp authentication ms-chap-v2 ms-chap xauth
AAA: Warning, authentication list "xauth" is not defined for PPP.

HKDC(config-if)# ppp authorization mppe
AAA: Warning, authorization list "mppe" is not defined for network authorization

When I run "show ppp mppe virtual-access1 ", it tells me "PPP is not active on interface Vi1". How do I know the established connection is encrypted ? And what bit does it  use for encryption ?

Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Okay, let me tackle these one-by-one.

> So can I have data encryption with L2TP? How to configure IPsec to ensure max. security?

Yes, but L2TP relies on IPsec as an external encryption/integrity mechanism, so it has to be configured via appropriate crypto maps on your router.

> I have configured on my router and have the following warning message. How to get rid of these ?
>
> HKDC(config-if)# ppp authentication ms-chap-v2 ms-chap xauth
> AAA: Warning, authentication list "xauth" is not defined for PPP.
>
> HKDC(config-if)# ppp authorization mppe
> AAA: Warning, authorization list "mppe" is not defined for network authorization

Sorry about that.  You have to define the xauth and mppe mechanisms in aaa before they'll actually be usable.  A sample configuration for that would look like this:

aaa authentication login xauth group radius local
aaa authorization network mppe group radius local

> How do I know the established connection is encrypted?

You can find out which virtual access interface each user is connected on by issuing the "show users" command.  Once you have that, you can use the "show ppp mppe virtual-access #" where # is the interface number the user is connected on.
0
 

Author Comment

by:AXISHK
Comment Utility
"L2TP relies on IPsec ", can I use this to remote VPN access for mobile client ? Is it better than mppe (in what aspect) ?

Can configuration example for L2TP on IPsec for remote client ?

Many thanks again.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
You certainly can.  It's much better than MPPE on modern Cisco routers because IPsec is accelerated in hardware while MPPE has to be encrypted/decrypted by the router's processor.  Also, IPsec with NAT-T is much friendlier with NAT routers at the client end than PPTP is.  Here's how I set it up:

vpdn enable
!
vpdn-group L2TP
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
username vpnbackup privilege 0 password 0 your-password
username vpnbackup autocommand exit
!

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key your-L2TP-tunnel-key address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set TS-3DESSHA1ESP esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map L2TP 10
 set nat demux
 set transform-set TS-3DESSHA1ESP
 match address L2TP
!
crypto map VPN 10 ipsec-isakmp dynamic L2TP
!
interface VLAN1
 crypto map VPN
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool pool1
 ppp mtu adaptive
 ppp authentication ms-chap-v2 ms-chap chap
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
Whoops... forgot one key piece:

ip access-list extended L2TP
 permit udp host 202.134.xxx.yyy eq 1701 any
0
 

Author Comment

by:AXISHK
Comment Utility
Thanks.

One last question, my Cisco is 1804 and I believe that it doesn't have special hardware for IPSec. Does it make any difference between IPsec and MPPE in term of security and encryption ?

Many thanks.


0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Actually, the 1800 series has the IPsec accelerator on-board, so you should be fine.  Do a "show version" to be sure.  The relevant output from my 1811 looks like this:

Cisco 1811 (MPC8500) processor (revision 0x400) with 354304K/38912K bytes of memory.
Processor board ID FHK1124103S, with hardware revision 0000

10 FastEthernet interfaces
1 Serial interface
1 terminal line
1 Virtual Private Network (VPN) Module
62976K bytes of ATA CompactFlash (Read/Write)

The key thing to look for is that "1 Virtual Private Network (VPN) Module" line.  If it's there, you have it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now