PindaRinda
Technical User
My PIX515E is configured to accept VPN connections from the Internet (option NAT T enabled). The clients are installed with the Cisco VPN client v4.0.3(A).
After setting up the connection in a simulated environment
the (transparent)tunnel comes up fine. From the client I am able to ping to IP addesses on the PIX'es Internal interface but DNS and WINS doesn't work. On my client wich is a WindowsXP Proffessional Laptop I see the following:
>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : TestLaptop1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-02-A5-DD-08-94
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.12.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.12.1
DNS Servers . . . . . . . . . . . : 10.10.12.100
10.10.12.101
Primary WINS Server . . . . . . . : 10.10.12.100
Secondary WINS Server . . . . . . : 10.10.12.105
Ethernet adapter Cisco VPN Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 130.130.130.193
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 130.130.130.193
Now I see 2 (two) discrapanties:
- The subnet mask from the VPN adapter is a class B mask
I would expect a host only mask
- The DNS and WINS addresses are not assigned although the PIX is configured to provide one (see pix configuration below). Wat seems to be the problem here and how can I resolve this?
PIX 515E config:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname FW-TEST
domain-name test.test.local
clock timezone CEST 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.100.0 LAN1
access-list inside_outbound_nat0_acl permit ip LAN1 255.255.255.0 130.130.130.192 255.255.255.224
mtu outside 1500
mtu inside 1500
ip address outside 10.10.11.1 255.255.255.248
ip address inside 192.168.100.155 255.255.255.0
ip local pool VPNSecure 130.130.130.193-130.130.130.222
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set VPNSecure esp-3des esp-sha-hmac
crypto ipsec transform-set VPNSecure mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynmap 10 set transform-set VPNSecure
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPNmap 10 ipsec-isakmp dynamic dynmap
crypto map VPNmap client configuration address initiate
crypto map VPNmap client configuration address respond
crypto map VPNmap client token authentication AuthorSRV
crypto map VPNmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNSecure outside
isakmp nat-traversal 60
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN address-pool VPNSecure
vpngroup VPN dns-server 192.168.100.1
vpngroup VPN wins-server 192.168.100.1
vpngroup VPN default-domain test.test.tst
vpngroup VPN idle-time 1800
vpngroup VPN max-time 86400
vpngroup VPN authentication-server AuthorSRV
vpngroup VPN user-authentication
After setting up the connection in a simulated environment
the (transparent)tunnel comes up fine. From the client I am able to ping to IP addesses on the PIX'es Internal interface but DNS and WINS doesn't work. On my client wich is a WindowsXP Proffessional Laptop I see the following:
>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : TestLaptop1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-02-A5-DD-08-94
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.12.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.12.1
DNS Servers . . . . . . . . . . . : 10.10.12.100
10.10.12.101
Primary WINS Server . . . . . . . : 10.10.12.100
Secondary WINS Server . . . . . . : 10.10.12.105
Ethernet adapter Cisco VPN Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 130.130.130.193
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 130.130.130.193
Now I see 2 (two) discrapanties:
- The subnet mask from the VPN adapter is a class B mask
I would expect a host only mask
- The DNS and WINS addresses are not assigned although the PIX is configured to provide one (see pix configuration below). Wat seems to be the problem here and how can I resolve this?
PIX 515E config:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname FW-TEST
domain-name test.test.local
clock timezone CEST 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.100.0 LAN1
access-list inside_outbound_nat0_acl permit ip LAN1 255.255.255.0 130.130.130.192 255.255.255.224
mtu outside 1500
mtu inside 1500
ip address outside 10.10.11.1 255.255.255.248
ip address inside 192.168.100.155 255.255.255.0
ip local pool VPNSecure 130.130.130.193-130.130.130.222
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set VPNSecure esp-3des esp-sha-hmac
crypto ipsec transform-set VPNSecure mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynmap 10 set transform-set VPNSecure
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPNmap 10 ipsec-isakmp dynamic dynmap
crypto map VPNmap client configuration address initiate
crypto map VPNmap client configuration address respond
crypto map VPNmap client token authentication AuthorSRV
crypto map VPNmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNSecure outside
isakmp nat-traversal 60
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN address-pool VPNSecure
vpngroup VPN dns-server 192.168.100.1
vpngroup VPN wins-server 192.168.100.1
vpngroup VPN default-domain test.test.tst
vpngroup VPN idle-time 1800
vpngroup VPN max-time 86400
vpngroup VPN authentication-server AuthorSRV
vpngroup VPN user-authentication
