?
Solved

DNS resolution over VPN (Cisco) doesn't work - server UNKNOWN

Posted on 2012-08-27
31
Medium Priority
?
4,765 Views
Last Modified: 2012-08-28
Hi,

I have just migrated from SBS2003 to Windows Server 2008 R2, and I have one little problem left to adress.

Everthing works like a marvel from the inside, but when I have people connected over a Cisco VPN, they can't resolve names via the DNS.

nslookup server gives them the correct server adress, 192.168.10.222, but it is tagged as unknow ans won't resolve names.

Any idea ?

NIC is configured with the loopback has primary DNS server on the Win2k8 DNS server.
IPv6 was unchecked.
0
Comment
Question by:maxalarie
  • 19
  • 10
  • +1
31 Comments
 
LVL 9

Assisted Solution

by:tsaico
tsaico earned 1000 total points
ID: 38336732
I had this problem not too long ago and I used this page to correct my issue.

http://www.isaserver.org/img/upl/vpnkitbeta2/dnsvpn.htm

In my particular case, I could not resolve unqualified names, meaning everything had to be server.domain.local and just "server" would fail.  And what covered my problem was neat the top at not being able to resolve internal names.  My own situation was to stop DHCP on the unit and use our file server as a DHCP so all the clients got the correct suffix.  I eventually made this a secondary DC in the network, but that for other backup reasons (occasionally the wan would go down, and all the remote office would lose everything)
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38336816
In my case, DNS timesout, be it for qualified names, or not...
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38336862
Can you post the output of "route print" from the client while connected to the vpn.
Is the IP of the new server the same as the old server ? What ACLs are in place on the router ? Do clients have access to the entire subnet when vpn connected ?  Can you  ping 192.168.10.222 while connected ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Don S.
ID: 38336966
This is likely an issue with Cisco VPN client and windows 7/vista.  Here is a brief discussion on what is happening and what to do about it: http://www.synetx.com/tips/?p=53
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38337202
Adress of new server is not the same.

C:\Users\ejutras>route print
===========================================================================
Liste d'Interfaces
 20...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
 11...00 21 cc bd 6f b5 ......Intel(R) 82579LM Gigabit Network Connection
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP
 13...00 00 00 00 00 00 00 e0 Carte Microsoft 6to4
 36...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 15...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP #3
===========================================================================

IPv4 Table de routage
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0    206.162.157.1    206.162.157.2    276
          0.0.0.0          0.0.0.0       172.16.1.1     172.16.1.220    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.1.0    255.255.255.0         On-link      172.16.1.220    276
     172.16.1.220  255.255.255.255         On-link      172.16.1.220    276
     172.16.1.255  255.255.255.255         On-link      172.16.1.220    276
     192.168.10.0    255.255.255.0       172.16.1.1     172.16.1.220    100
     192.168.11.0    255.255.255.0       172.16.1.1     172.16.1.220    100
    206.162.157.0  255.255.255.248         On-link     206.162.157.2    276
    206.162.157.2  255.255.255.255         On-link     206.162.157.2    276
    206.162.157.3  255.255.255.255         On-link     206.162.157.2    100
    206.162.157.7  255.255.255.255         On-link     206.162.157.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     206.162.157.2    276
        224.0.0.0        240.0.0.0         On-link      172.16.1.220    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     206.162.157.2    276
  255.255.255.255  255.255.255.255         On-link      172.16.1.220    276
===========================================================================
Itinéraires persistants :
  Adresse réseau    Masque réseau  Adresse passerelle Métrique
          0.0.0.0          0.0.0.0    206.162.157.1  Par défaut
          0.0.0.0          0.0.0.0       172.16.1.1  Par défaut
===========================================================================

IPv6 Table de routage
===========================================================================
Itinéraires actifs :
 If Metric Network Destination      Gateway
 13   1125 ::/0                     2002:c058:6301::c058:6301
  1    306 ::1/128                  On-link
 36     58 2001::/32                On-link
 36    306 2001:0:9d38:953c:c1a:3b03:315d:62fd/128
                                    On-link
 13   1025 2002::/16                On-link
 13    281 2002:cea2:9d02::cea2:9d02/128
                                    On-link
 11    276 fe80::/64                On-link
 36    306 fe80::/64                On-link
 36    306 fe80::c1a:3b03:315d:62fd/128
                                    On-link
 11    276 fe80::c589:9fb2:c98a:af49/128
                                    On-link
  1    306 ff00::/8                 On-link
 36    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Itinéraires persistants :
  Aucun
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38337231
The routes and metrics look right.
Can you ping 192.168.10.222 ?  What ACLs are in place on the Cisco ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38337620
Cannot ping the DNS server... hmmm
I can ping other resources via their adress.
I don't see anything in the AC Ls, where should I be looking at ?
It's an ASA, and I manage via ASDM.
It is clearly a communication problem with the DNS over the VPN connection.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38337633
can you post a sanitized copy of the running config ?
what is the ip of the other resources  you can ping (192.168.10.x, 192.168.11.x )?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38337700
I was able to ping 192.168.10.66

: Saved
:
ASA Version 7.2(1)24
!
hostname ciscoasa
domain-name processia.com
enable password xxxxxxxxxxxxxxx encrypted
names
name 192.168.10.5 denali2
name xxx.xxx.xxx.xxx extip
name 142.169.1.16 extdns
name 192.168.10.244 TeleconfProcessia description Systeme Polycom VSX 5000
name 192.168.10.222 denali
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address extip 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 description bridge to the
 nameif DMZ
 security-level 0
 ip address 192.168.15.1 255.255.255.0
 rip receive version 2
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa721-24-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name processia.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ACL-VIRY
 description WKS Processia projet VIRY
 network-object host 192.168.10.62
 network-object host TeleconfProcessia
 network-object host 192.168.10.38
 network-object host 192.168.10.56
 network-object host 192.168.10.107
 network-object host 192.168.10.96
 network-object host 192.168.10.39
 network-object host 192.168.10.98
 network-object host 192.168.10.221
 network-object host 192.168.10.65
 network-object host denali
 network-object host 192.168.10.47
 network-object host 192.168.10.27
 network-object host 192.168.10.101
 network-object host 192.168.10.166
 network-object host 192.168.10.23
 network-object host 192.168.10.26
 network-object host 192.168.10.64
 network-object host 192.168.10.25
 network-object host 192.168.10.66
 network-object host 192.168.10.70
object-group service Teleconf_Polcom_UDP udp
 description Ports UDP utilisés par la Teleconf Polycom
 port-object range 3230 3253
object-group service polycom_TCP tcp
 port-object range 3230 3237
object-group network ACL-MAT
 description ACL-MCL
 network-object host 192.168.10.62
object-group network LinCompiler2
 network-object host 192.168.10.199
object-group service Fisheye tcp
 port-object range 8060 8060
object-group service Jira tcp
 port-object range 8181 8181
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host denali2 eq www
access-list acl_out remark CBIC -  Support Teleconf.
access-list acl_out extended permit tcp any host 74.15.177.198
access-list acl_out remark Port Messenger  used for file transfer.
access-list acl_out extended deny tcp any any eq 1863
access-list acl_out remark Connection VPN chez Alstom.  vpn2.alstom.ch
access-list acl_out extended deny ip any host 195.49.72.118 log inactive
access-list acl_out remark pop3 UCEQ
access-list acl_out extended permit tcp any host extip eq 26
access-list acl_out remark Maximizer
access-list acl_out extended permit tcp any host extip eq 8080 log
access-list acl_out remark Maximizer
access-list acl_out extended permit tcp any host extip eq 8081 log
access-list acl_out remark Web Timesheet
access-list acl_out extended permit tcp any host extip eq 12500 log inactive
access-list acl_out remark NTP
access-list acl_out extended permit tcp any host denali eq 123 log
access-list acl_out remark No idea what this is. Disabled for security purpose.
access-list acl_out extended deny tcp any host extip eq 6666 inactive
access-list acl_out extended permit tcp any host extip eq 2525
access-list acl_out extended permit tcp any host extip eq 800
access-list acl_out extended permit tcp any host extip eq 801
access-list acl_out remark FTP Denali port closed.
access-list acl_out extended permit tcp any host extip eq ftp log notifications
access-list acl_out extended permit tcp any host extip eq 802
access-list acl_out remark PBMS disabled
access-list acl_out extended deny tcp any host extip eq 900
access-list acl_out extended permit tcp any host extip eq pop3
access-list acl_out extended permit tcp any host extip eq smtp log
access-list acl_out extended permit tcp any host extip eq www
access-list acl_out extended permit tcp any host extip eq https
access-list acl_out remark Telus - Connections pour support.
access-list acl_out extended permit tcp 207.134.136.224 255.255.255.224 host extip range 3390 3391
access-list acl_out extended permit tcp any object-group polycom_TCP host TeleconfProcessia object-group polycom_TCP
access-list acl_out remark Telus Connections pour Support
access-list acl_out extended permit tcp 216.226.48.112 255.255.255.248 host extip range 3390 3391
access-list acl_out extended permit tcp any eq h323 host TeleconfProcessia eq h323
access-list acl_out extended permit udp any object-group Teleconf_Polcom_UDP host TeleconfProcessia object-group Teleconf_Polcom_UDP
access-list acl_out remark Possiblement Alstom, mais pas certain. Rule deactive
access-list acl_out remark ALSTOM
access-list acl_out remark Port Messenger  used for file transfer.
access-list acl_out remark Connection VPN chez Alstom.  vpn2.alstom.ch
access-list acl_out remark pop3 UCEQ
access-list acl_out remark Web Timesheet
access-list acl_out remark NTP
access-list acl_out remark No idea what this is. Disabled for security purpose.
access-list acl_out remark FTP Denali port closed.
access-list acl_out remark PBMS disabled
access-list acl_out remark Telus - Connections pour support.
access-list acl_out remark Telus Connections pour Support
access-list acl_out extended permit ip any 192.168.2.0 255.255.255.0
access-list acl_out extended permit tcp any host extip object-group Jira
access-list acl_out extended permit tcp any host extip object-group Fisheye
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.11.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 138.21.0.0 255.255.0.0
access-list nonat extended permit ip host 192.168.10.64 192.168.10.200 255.255.255.252
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list acl_in extended permit ip any any
access-list acl_in_tst extended deny tcp any any eq 1863
access-list acl_in_tst extended deny tcp any host 216.91.187.195 eq www
access-list acl_in_tst extended deny tcp any host 64.4.13.170 eq www
access-list acl_in_tst extended permit ip any any
access-list permitall extended permit ip any any
access-list permitall extended permit tcp any any
access-list permitall extended permit udp any any
access-list permitall extended permit icmp 192.168.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.11.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VIRY_IN extended permit ip 138.21.0.0 255.255.0.0 object-group ACL-VIRY
access-list VIRY_IN extended permit udp 138.21.0.0 255.255.0.0 object-group ACL-VIRY
access-list VIRY_IN extended permit tcp 138.21.0.0 255.255.0.0 object-group ACL-VIRY
access-list VIRY_IN extended permit icmp 138.21.0.0 255.255.0.0 object-group ACL-VIRY
access-list VIRY_IN extended permit icmp 192.168.90.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit tcp 192.168.90.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit ip 192.168.80.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit tcp 192.168.80.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit icmp 192.168.80.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit tcp 192.168.2.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit ip 192.168.2.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit icmp 192.168.2.0 255.255.255.0 object-group ACL-VIRY
access-list VIRY_IN extended permit icmp 192.168.15.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list VIRY_IN extended permit ip 192.168.15.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list VIRY_IN extended permit ip any 138.21.0.0 255.255.0.0
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit tcp any any
access-list DMZ_access_out extended permit icmp any any
access-list DMZ_access_out_1 extended permit ip object-group ACL-VIRY any
access-list DMZ_access_out_1 extended permit udp object-group ACL-VIRY any
access-list outside_cryptomap extended permit ip any 192.168.10.200 255.255.255.252
access-list outside_cryptomap_1 extended permit ip any 192.168.10.200 255.255.255.252
access-list 101 extended permit ip any any
access-list 101 extended deny icmp any host 192.168.10.0
access-list LinxCompiler2 extended permit ip any host 192.168.10.65
access-list VPN-Processia extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 200
logging trap warnings
logging asdm errors
logging from-address ejutras@processia.com
logging recipient-address ejutras@processia.com level errors
logging host inside 192.168.10.32 format emblem
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool allard-ip 192.168.10.10
ip local pool fraser-ip 192.168.10.17
ip local pool jmlaplante 192.168.10.208
ip local pool VPNCLIENT 172.16.1.1-172.16.1.254 mask 255.255.255.0
ip local pool malarie 192.168.10.62 mask 255.255.255.0
ip local pool mclmat 192.168.10.223-192.168.10.224 mask 255.255.255.0
asdm image disk0:/asdm521-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.1.1.0 255.255.255.0
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 802 denali 802 netmask 255.255.255.255
static (inside,outside) tcp interface smtp denali smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.10.44 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 808 denali 808 netmask 255.255.255.255
static (inside,outside) tcp interface 801 denali 801 netmask 255.255.255.255
static (inside,outside) tcp interface https denali https netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.11.110 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.11.112 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.10.68 www netmask 255.255.255.255
static (inside,outside) tcp interface 8081 192.168.10.66 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.10.66 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8060 192.168.10.82 8060 netmask 255.255.255.255
static (inside,outside) tcp interface 8181 192.168.10.82 8181 netmask 255.255.255.255
static (inside,outside) denali2 denali2 netmask 255.255.255.255
access-group acl_out in interface outside
access-group permitall in interface inside
access-group VIRY_IN in interface DMZ
access-group DMZ_access_out_1 out interface DMZ
route outside 0.0.0.0 0.0.0.0 206.162.157.1 1
route inside 192.168.11.0 255.255.255.0 192.168.10.253 1
route DMZ 138.21.0.0 255.255.0.0 192.168.15.2 1
route DMZ 192.168.90.0 255.255.255.0 192.168.15.2 1
route DMZ 192.168.80.0 255.255.255.0 192.168.15.2 1
!
router rip
 version 2
!
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server IAS protocol radius
aaa-server IAS (outside) host 192.168.10.2
 key vlpeflxo
group-policy test internal
group-policy test attributes
 dns-server none
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.10.222
 dns-server value 192.168.10.222
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 30
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list value split
 default-domain value processia2003.com
 split-dns value 192.168.10.222
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication enable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass enable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPNCLIENT
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc required
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy WebVPN internal
group-policy WebVPN attributes
 banner value Processia WebVPN
 dns-server value 192.168.10.222
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 default-domain value processia2003.com
 address-pools value VPNCLIENT
 webvpn
  functions url-entry file-access file-entry file-browsing
  homepage none
  port-forward none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  svc enable
group-policy 166.63.199.53 internal
group-policy 166.63.199.53 attributes
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ip-comp disable
 re-xauth disable
 group-lock value 166.63.199.53
 pfs disable
group-policy CAE internal
group-policy CAE attributes
 dns-server value 192.168.10.222
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 password-storage disable
group-policy MclMAT internal
group-policy MclMAT attributes
 banner value Welcome to Processia
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-simultaneous-logins 2
 vpn-idle-timeout 20
 vpn-session-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 default-domain none
 address-pools value mclmat
group-policy open internal
group-policy open attributes
 dns-server value 192.168.10.222
 vpn-access-hours none
 vpn-simultaneous-logins 30
 password-storage enable
 split-tunnel-policy tunnelall
 split-tunnel-network-list value split
 default-domain value processia2003.com
 split-dns value 192.168.10.222
 address-pools value VPNCLIENT
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http denali 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.10.22 255.255.255.255 inside
http 192.168.10.254 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 20 esp-3des esp-sha-hmac
crypto ipsec transform-set VPN-Processia esp-3des esp-md5-hmac
crypto dynamic-map vpndynmap1 10 set transform-set vpnset1
crypto dynamic-map vpndynmap1 30 set pfs
crypto dynamic-map vpndynmap1 30 set transform-set ESP-3DES-SHA
crypto dynamic-map vpndynmap1 50 set pfs
crypto dynamic-map vpndynmap1 50 set transform-set 20
crypto map vpnmap1 10 ipsec-isakmp dynamic vpndynmap1
crypto map vpnmap1 20 set pfs
crypto map vpnmap1 20 set transform-set ESP-3DES-SHA
crypto map vpnmap1 interface outside
crypto map VPNVIRY 120 set peer 166.63.199.53
crypto map VPNVIRY 120 set transform-set 20
crypto map vpnmap 50 match address VPN-Processia
crypto map vpnmap 50 set peer 193.252.206.71
crypto map vpnmap 50 set transform-set VPN-Processia
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20

no vpn-addr-assign dhcp
telnet 172.16.1.0 255.255.255.0 outside
telnet 192.168.10.2 255.255.255.255 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.10.33 255.255.255.255 inside
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 20
ssh 172.16.1.13 255.255.255.255 inside
ssh 192.168.10.62 255.255.255.255 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
!
!
class-map DMZ-class
 match port tcp eq h323
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map DMZ-policy
 class DMZ-class
  priority
!
service-policy global_policy global
ntp server 91.189.94.4 source outside prefer
tftp-server inside 192.168.10.70 AsaConfig2012
webvpn
 enable outside
 http-proxy 192.168.10.55 80
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc enable
 url-list Nilgiri "Nilgiri" cifs://192.168.10.66 1
prompt hostname context
Cryptochecksum:70502c9b27fe2a1cd50b36ddbda7a0e1
: end
asdm image disk0:/asdm521-54.bin
no asdm history enable
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38337769
The config looks OK.
Have you tried to disable Windows/3rd party firewalls on the server ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38337791
There are no 3rd party firewalls.
It is a plain and new Win2k8 standard server that was setup last week.
Name resolution is OK from the inside...

When I disable Windows' Firewall, it stops working...

I have those problems only from VPN.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38338018
Can you add a rule to Windows firewall to allow all traffic to/from 172.16.1.0/24?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338063
Windows firewall doesn't have such a configuration.
You can tell which port to block/allow, select if is from/to Internal/Private/Public network, but it seems all configured OK.

Inbound, I have a DNS rule for port 53, it is allowed from all IPs, all network types.
Outbound, I have a rule for DNS service and it is allowed for all IPs, all network type.
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338075
With a tracert, I should be able to see if I am blocked by the ASA, or the Win2k8 server, right ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338095
From  the ping command of the ASDM, I cannot reach my DNS Server from it's IP.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38338097
Are you allowing TCP and UDP on port 53 ?  
Not sure that tracert will get past the ASA.

from the server command line you can run
netstat -an 1|findstr 172.16.1.

to see if any connections get made.  It feels like a firewall issue on the server. From the server can you ping 172.16.1.220 ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338141
Both UDP and TCP are allowed.

netstat cannot find anything related to 172.16

Cannot ping the new 172 adress of a computer I just connected to VPN.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38338149
Does the server have have the correct gateway configured ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338181
Yes it does.
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338191
tracert didn't go far...
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338213
Changed the DNS in NIC for it's IP instead of loopback, didn't change the behavior.
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338259
Tried to add rules outbound, since it didn't seem to be for port 53, but it didn't help.
Should I restart some services ?
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38338275
I would try rebooting the server. Can you post the output of route print from the server first though.
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338369
I think we have something...
We booted the ASA, and were able to connect and task with the DNS...
It happenned earlier today.
But after a few minutes, it stops working...
But we found out something in the ASA log...

Deny due to land attack from NewServer(DNS)...
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338412
From NewServer to NewServer
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338698
It was one user that had an hardcoded IP that was the same as the new server...
Old stuff ! Damn...

Now I think I broke the group policy that should allow internet browsing...
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38338753
Glad you got it sorted out
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338762
Thanks a lot for your help !
How does that work, should I award you points anyway for the help ?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 38338804
Oh, it is not all good.
Now the server can be pingned via the ASDM.
When you are connected on VPN and type nslookup, the server is not unknown, there is no timeout, but as soon as you ask for a resolution, it does timeout...
0
 
LVL 10

Accepted Solution

by:
djcanter earned 1000 total points
ID: 38341042
What is the OS of the client that is connecting to the VPN ? For Win7/Vista this is the exact scenario posted in tsaico's solution above.
0
 
LVL 2

Author Closing Comment

by:maxalarie
ID: 38341669
Thanks to both of you !
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question