Re: Cisco VPN / Firewall configuration

From: G-Love (greg_at_20percent.org)
Date: 07/25/04

  • Next message: Michael Sullivan: "Re: Is ssh not safe?" 
    Date: Sat, 24 Jul 2004 15:56:09 -0700
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Scot L. Harris wrote:
    > On Sat, 2004-07-24 at 18:09, G-Love wrote:
    >
    >>All -
    >>
    >>After much consternation, I was successfully able to install the Cisco
    >>3000 series VPN client on my FC2 box, with kernel 2.6.7 I had some
    >>problems connecting at first, but that was fixed with a simple addition
    >>to my iptables config file. Here's my current problem (and seemingly my
    >>last hurdle to getting this to work as I need):
    >>
    >>I'm connecting to the VPN server using NAT, as I have a firewall running
    >>on my machine. I can get to all the internal websites with no problem;
    >>however, when I try to ssh to a machine on the internal network, it
    >>simply hangs. When I try to ping the same machine, it times out with
    >>the following message:
    >>
    >>PING: unknown host <hostname.myco.com>
    >>
    >>Then I did a little experiement. I got the IP address of the machine
    >>that I was attempting to connect to, re-established my VPN connection,
    >>then attempted to ssh to the machine using the IP address. Lo and
    >>behold, it worked, and I was able to verify that I was, in fact,
    >>connected to the machine thru my VPN connection (the 3000 series VPN
    >>clients/concentrators allow for split tunnelling).
    >>
    >>SO...it seems as thought name resolution does not work with the VPN
    >>connection enabled. In fact, I can't see (ssh, ping,...) ANY machines
    >>while the VPN connection is active. I tried pinging cnn.com, and that
    >>resulted in the same "unknown host..." message. I'm a bit of a newbie
    >>to firewall configurations, etc, so any help on getting this to work
    >>would be appreciated. I guess using the IP address is an OK workaround
    >>for now, but I'd rather not rely on this method.
    >>
    >>Thanks.
    >>
    >> -greg
    >
    >
    > This is related to another thread here in the last day. I suspect that
    > the VPN client you are using does not have a DNS sever configured or
    > does not have the correct DNS server configured.
    >
    > You validated that you do have network connectivity using the IP
    > addresses. When you establish the VPN connection using the Cisco client
    > software you should end up with some kind of security policy. (I am
    > assuming this software is similar to Checkpoints Secure Remote). As
    > part of that policy is DNS information. The DNS server it points to
    > will resolve all your DNS queries.
    >
    > If for the DNS server is incorrect or unreachable then the query will
    > fail.
    >
    > Are you able to identify a file on your system that contains the
    > policy? I don't remember if Secure Remote encrypted the policy file or
    > not. (I always looked at the file on the firewall side)
    >
    > Even in split tunnel mode with the Checkpoint software all DNS queries
    > went to the one defined in the security policy. It did this since there
    > was no way to differentiate if the request was for a name on the other
    > end of the VPN or not.
    >

     From the Cisco 2000 VPN Concentrator Configuration page:

    "In this section, you are presented with the information to configure
    the features described in this document. Split DNS parameters are
    configured under the group parameters on the Cisco VPN 3000
    Concentrator. Therefore, no configuration on the client is necessary."

    So all of the DNS information in configured on the concentrator side -
    no client side configuration necessary. I never had this problem when
    we used the older, 5000 series concentrators. Thinking about it, I
    believe that there was some DNS configuration necessary on the client
    side when first installing the client SW. Maybe I'll ask around if
    anyone else has seen this behavior, since an improper configuration on
    the concentrator side means others would see this behavior as well.

                 -greg 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Michael Sullivan: "Re: Is ssh not safe?"

    Relevant Pages

    • Re: Wireless LAN Questions
      ... here is my topology for the network which will make a VPN connect ... Configured DNS with root deleted and forwarders set to 10.12.4.10 ... Configured RRAS with a demand dial interface Remote Router for VPN through ... > this manner is not a sane LAN configuration and not worth dealing with. ...
      (microsoft.public.windows.server.networking)
    • Re: dns over vpn
      ... over vpn, obviously when user is connecting to domain-a.com all works ... why would domain name which laptop is part of be added to every name ... resolved by dns in domain-b.com? ...
      (microsoft.public.windows.server.dns)
    • Re: Replication issues with Win2003
      ... What do the vpn clients have for their primary dns server? ... > two DCs at one site (Originally DC1 contained the PDC emulator and the RID ... Occasionally users connecting to this site via a point to ...
      (microsoft.public.win2000.active_directory)
    • Re: Switch DNS servers on the fly
      ... I am using the built in XP VPN client to connect to RRAS Servers. ... connections are all configured to get the DNS from the remote DHCP, ... When I run nslookup from outside it shows the current ISPs DNS server as the ... connecting to because by default, the VPN interface on the client ...
      (microsoft.public.windows.server.dns)
    • Re: split dns
      ... Personally, I prefer a sub domain of the Public domain, it makes it easier ... remote clients connecting over a VPN, must use an ISP's DNS before the VPN ...
      (microsoft.public.win2000.dns)