vpn client issue 1

[networkerer]

Hi All, I have a cisco vpn set up, all is working well besides one issue, in order to work with exchange server I need to enter the dns settings into the networking connection settings, once the connection is closed the dns settings are lost, meaning that the have to be entered eacj time the connection is made.

How can I get these settings to stay in!!

Thanks

 

[unclerico]

post a scrubbed config and we'll get you squared away

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkerer]

I'm not sure I can do this, when the issue first came up as the user being unable to get mail, I looked into this for some time and the solution was to place the DNS settings in the client and it worked.

I'm aware that the config would help with this put seeing as its a large company posting up the config even edited is not really an option.

Just really wanted to see if anyone had some ideas of what the issue maybe.

Thanks for the reply.

 

[unclerico]

make sure that your crypto client groups have the proper dns server addresses listed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkerer]

Thanks unclerico, would it be possible to mail you some of the config to have a quick look, if thats allowed/OK.

 

[networkerer]

On closer inspection you may have been correct, I'll check this out in the morning and post back, thanks for your help.

 

[burtsbees]

I have heard of this being a problem with the client software itself---the profiles lose their minds. There are fixes, but you will have to search. Just letting you know that it is likely the client problem. What version vpn client are you using?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[networkerer]

Here is the config, if you can spot the issue would be great:

Company1>en
Password:
Company1#sh run
Building configuration...

Current configuration : 7197 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Company1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5
!
aaa new-model
!
!
aaa authentication login Local_DB local
aaa authorization network foo local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.176.1 192.168.176.9
ip dhcp excluded-address 192.168.176.34
ip dhcp excluded-address 192.168.176.11
ip dhcp excluded-address 192.168.176.111
ip dhcp excluded-address 192.168.176.150
ip dhcp excluded-address 192.168.176.250
ip dhcp excluded-address 192.168.176.115
ip dhcp excluded-address 192.168.176.110
!
ip dhcp pool company1-pool
network 192.168.176.0 255.255.255.0
default-router 192.168.176.222
dns-server 192.168.176.11 Public dns server
!
!
ip domain name company1
ip name-server Public dns server1
ip name-server Public dns server2
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-2801261823
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2801261823
revocation-check none
rsakeypair TP-self-signed-2801261823
!
!
crypto pki certificate chain TP-self-signed-2801261823
certificate self-signed 01


VPN Accounts here
!
!
ip ssh version 1
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group admin
key company1
dns 192.168.176.11
pool vpn_pool
acl admin_split
!
!
crypto ipsec transform-set foo esp-3des esp-sha-hmac
!
crypto dynamic-map dymap 1
set transform-set foo
!
!
crypto map test client authentication list Local_DB
crypto map test isakmp authorization list foo
crypto map test client configuration address respond
crypto map test 3000 ipsec-isakmp dynamic dymap
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.176.222 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1 -NOT IN USE
description ****outside***$ES_LAN$
ip address 10.0.0.2 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip virtual-reassembly
ip tcp adjust-mss 1452
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
no ip address
!
interface Dialer1
mtu 1492
ip address ip address here 255.255.255.252
ip nat outside
--More--
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
ppp chap hostname company 1
ppp chap password 7
ppp pap sent-username company1 password 7 company1
crypto map test
!
ip local pool vpn_pool 172.16.0.1 172.16.0.60
ip default-gateway 10.0.0.33
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
ip nat inside source static tcp 192.168.176.11 port x.x.x.x port extendable
!
ip access-list extended admin_split
permit ip 192.168.176.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended outsidein
deny ip 192.168.176.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip 192.168.176.0 0.0.0.255 any
ip access-list extended port
!
access-list 1 permit 192.168.176.0 0.0.0.255
access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.176.0 0.0.0.255
access-list 101 deny ip 192.168.176.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.176.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

!
route-map nonat permit 10
match ip address outsidein
!
!
!
!
control-plane
!
!
banner motd ^C
*************************************************************
* UNAUTHORIZED ACCESS PROHIBITED *
* xxxxxxxxxxxxxxxxxxxxxxxxx *
************************************************************* ^C
!
line con 0
logging synchronous
login authentication Local_DB
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication Local_DB
transport input ssh
!
--More--
!
scheduler allocate 20000 1000
end

company1#

 

[unclerico]

your config looks fine. did you make any changes or did you pull that straight from the device as is??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkerer]

This is the current running config on the router! We still have no joy, maybe a different client!