RE: OT: VPN and DNS
- From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 16 Apr 2004 14:45:34 -0400
Joseph,
We're not using the Cisco VPN software, we're using the standard Microsoft VPN
software with the PPTP protocol.
-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Friday, April 16, 2004 1:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
What settings are you using on your CISCO client? When, I mentioned to you
the issues that I was having,
CISCO was having trouble with ports 10000 and 500. In addition to the IP
address that you have maybe that could be the issue.
The Cisco VPN Client uses the local computers IP address to encrypt the
communication. For this reason users who connect to the Internet using DSL
or a Cable modem (Comcast, Optimum Online, Verizon DSL..), and share access
with multiple computers using a router may need to make the following
changes to their router. Most routers allow you to forward specific types of
connection to a specific computer. This process is called port forwarding.
For use of the VPN, port 10000 will need to be forwarded from the router to
the local computer.
Some reading links:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812076
http://www.cites.uiuc.edu/vpn/download-install.html
Joseph
----- Original Message -----
From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, April 16, 2004 3:37 AM
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Joe, im confused a little. Are you saying that the problem is that you
cant resolve internal records on you public/external dns ie.
Server.corp.com or that your vpn clients are contacting 192.168.1.1
which is a dns server and not 10.1.1.2. In this case don't they have
similar zones and it shouldn't really matter which one resolves dns
queries, just depends on your routes
Greg Mulholland
http://www.isaserver.org
http://www.isaserver.mine.nu
http://groups.google.com
-----Original Message-----
From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx]
Sent: Friday, April 16, 2004 1:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Yes, I have definitely experienced issues where the local client's
address space is the same as the remote network's (VPN's) address
space... For instance, if the local address is 10.1.1.x/24 this
definitely conflicts with the VPN network which is running
10.1.x.x/16... It really makes the VPN connection just fall apart...
That's just a situation that's pretty much irresolvable AFAIK...
Definitely a sticky wicket for VPN's... (Any suggestions on how to
resolve that issue would make for interesting reading!)
The issue I'm concerned with is similar, but different...
Take a client with an address of 192.168.1.x/24... SOHO router serving
IP options via DHCP... Sets the client with itself as default gateway
and DNS as 192.168.1.1...
Now the client connects to a VPN... VPN IP 10.1.1.x/24... VPN DNS
10.1.1.2...
Internal network using corp.com as Active Directory address space...
corp.com also being used for external addressing (www.corp.com ,
mail.corp.com , etc)
VPN client, with active VPN connection tries to do a DNS lookup for
server.corp.com... The "local" DNS server (192.168.1.1) is still
available and can respond, and since Windows has established this as an
active DNS server, sends the query for server.corp.com... Of course the
external DNS servers for corp.com don't have the internal address for
server.corp.com and therefore the DNS lookup fails (or responds with the
external address, which doesn't do any good for directing traffic
through the VPN connection)... Since the 192.168.1.1 DNS 'server'
responds, the client never tries to hit the 10.1.1.2 DNS server to
properly resolve the server.corp.com
I don't know if there really is a clean solution, but there's always
hope...
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Thursday, April 15, 2004 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Hi Joe,
I've seen this before. The cause was the local client had lets say
10.0.0.1 type of subnet and the client that you VPN to had similar
subnet 10.0.1.1. This caused a strange conflict but, I was able to move
files from my subnet to there subnet.
I was using the CISCO. VPN client.
Not sure if this is what you meant but, I thought it was similar.
Thank you,
Joseph
----- Original Message -----
From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, April 15, 2004 8:13 AM
Subject: [isalist] RE: OT: VPN and DNS
http://www.ISAserver.org
Ladies and gentlemen... Just wanted to clarify one item that was
suggested off list... My VPN clients are _not_ using split tunneling,
yet items on the client's local subnet (including the DNS server) are
still available...
Still looking for suggestions....
TIA!
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
-----Original Message-----
From: Joe Pochedley
Sent: Wednesday, April 14, 2004 9:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] OT: VPN and DNS
http://www.ISAserver.org
Sorry for the OT post, but since Dr. Shinder and others on this list
have spent so much time in this area, I'm hoping someone here can offer
some suggestions...
In short: As more and more users want to work from home in hotels with
high speed connections, etc; we're having issues with more and more SOHO
routers or hotel configs and are looking for solutions / work-arounds...
We're using the same DNS space internally and externally (split DNS).
Users VPN in using MS's VPN (PPTP at the moment). This works great over
dial-up and with some high speed lines...
However, some SOHO routers (SMC, Dlink, Microsoft and some hotel's
wireless systems have all been culprits thus far) submit themselves to
the clients as the local DNS server and in effect perform a DNS
forwarding (maybe some local caching too, I don't know). The problem
this appears to cause is that the local client can still reach the
"local" DNS server because it's on the same subnet... When this happens
the client doesn't use the VPN supplied DNS servers and therefore DNS
lookups either fail or return the wrong addresses.
My assumption always used to be that all traffic from the client would
be forwarded through the VPN when the VPN is active, but this appears to
not be the case. Local traffic still will go out to other local clients
and therefore since the DNS server appears local, the client machine
will try to hit the local DNS server (and will be successful albeit with
results we don't want)...
FWIW, Windows 2000 Domain, MS RRAS and ISA running on Windows Svr 2003.
Windows 2000 and XP Pro clients
The only solutions I've come up with thus far are:
1) HOSTS files... Yuck.
2) I could write a script that would modify the client's DNS settings,
effectively removing the "local" DNS server during the VPN session, but
that's a PITA all the way around...
I'd happily entertain any other suggestions! TIA!
Joe Pochedley
Weiler's Law - Nothing is impossible for the man who doesn't have to do
it himself.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
