LDAP routing and DNS combination

Similar Messages

• ITouch loses router and DNS addresses?

  I have had my iTouch for about a week and it connected to my wireless network for the first three days flawlessly. Since that time, it will only connect sporadically and I have noticed that when it doesn't connect, it is because the router and DNS addresses have disappeared in the wireless window in Settings. I can get them back occasionally by renewing lease in this window, but more often than not, renewing lease does not reestablish these addresses.
  I reset the iTouch through itunes, but this did not solve the problem.
  Additional information. The iTouch has the full signal (maximum number of bars). I am using an airport extreme as my base station. I have three macs that I connect to the wireless network through the base station. I have a few airport expresses that are connected to audio equipment or video game units. All of these continue to work well and have no problem connecting to the wireless network.
  Your help/thoughts would be most appreciated.
  Message was edited by: tritium11

  Is your router broadcasting its SSID? If not, try enabling that because the Touch often has a hard time remembering a network if it is hidden. Hiding your SSID is very minimal security, so there's really no point to hiding it.

• Personal hotspot not getting router and DNS configured

  My provider for cellular is "bob" (A1) in Austria.
  I want to make my iPad to provide network access via cellular as a personal hotspot.
  The network is broadcasted and I can see it at any other device when activating Wi-Fi.
  When I connect it times out, the iPad does not provide DNS and router address to the client.
  I have also an iPhone5 with the provider "drei" - it works without problem to activate and use the "personal hotspot" provided by the iPhone.
  I contacted "bob" - they say there is nothing the provider can do about personal hotspot, it should work, I shall contact Apple support.
  Any other experience/advise?

  Update:  I have found that if I connect my iPhone via USB and share the personal hotspot via USB that it works fine.  But if I try and share it over wifi, it maybe lasts 5 mins then the blue status bar at the top of the iPhone, flashes on and off and the internet isn't shared. 
  I have restored my iphone and updated it to 5.1.1, but still get the same!
  Can anyone suggest anything? Please help
  Thanks
  Paul

• E3200 router and DNS issuse with RR

  OK so i have purchased the e3200 router to use with my road runner internet. Everything works great all day until about 6pm. then i start getting dns issues, and my modem disconnects for aboput aminutes then it comes back.  Ive cloned my mac address on the router, i also went to OpenDNS and changed that on the router hopeing that would work, but no luck today i got disconnected again at 6pm.  anythought on why im getting disco'd around the same time every day.  My thought is that its the modem directly. but any and all help would be wonderfull thanks all.
  Solved!
  Go to Solution.

  If you modem disconnects it's not a problem of the router. Check with your ISP. Probably the modem crashes and reboots...

• Routing and DNS processes stop - IOS 15.1(4)M9

  Hi all,
  I have an 1841 router acting as ADSL gateway. It has maxed out RAM and HWIC-1ADSL module installed.
  Some time after upgrade from  IOS 15.1(4)M6 to IOS 15.1(4)M9 the router started to behave somewhat strange. Every 3-5 days routing process stops, that is if I do "sh run" I get "no ip routing" in configuration which wasn't there before. It appears that config was not edited by anyone either. On top of that router stops resolving DNS. A simple reboot fixes the DNS issue.
  I get following in the logs (sh log):
  003801: Jan  2 05:39:13.569 AEST: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (1/0),process = DNS Server.
  -Traceback= 0x63BB1550z 0x63BB1BF8z 0x610C92F8z 0x610C935Cz 0x610CA4FCz 0x61306CC8z 0x61306DD0z 0x61309AD8z 0x6130B11Cz 0x62C873F4z 0x62C873D8z 
  003802: Jan  2 07:59:53.603 AEST: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (1/1),process = DNS Server.
  -Traceback= 0x63BC658Cz 0x63BB1530z 0x63BB1BF8z 0x610C92F8z 0x610C93B4z 0x610CA4FCz 0x61306E10z 0x61309AD8z 0x6130B11Cz 0x62C873F4z 0x62C873D8z 
  Has anybody experienced something like this?
  Is this a 15.1(4)M9 issue?

  Hi Alex,
  Based on the above logs Spurious access is an attempt by Cisco IOS software to access memory in a restricted location. An example of system log output for a spurious access is shown below.
  000059: Jan  3 12:27:36.189 AEST: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x631586D4z  reading 0x1C
  000060: Jan  3 12:27:36.189 AEST: %ALIGN-3-TRACE: -Traceback= 0x631586D4z 0x631768E8z 0x63176998z 0x63177590z 0x631C2438z 0x631C2658z 0x62FE3ED0z 0x62FE4258z
  Cause
  A spurious access occurs when a process attempts to read from the lowest 16 KB region of memory. This portion of memory is reserved and should never be accessed. A read operation to this region of memory is usually caused when a nonexisting value is returned to a function in the software, or in other words, when a null pointer is passed to a function.
  Cisco IOS Software Handling
  Depending on the platform, Cisco IOS software handles spurious accesses differently. On platforms where this is possible, the Cisco IOS software code handles these invalid accesses by returning a value of zero and recording the event. If this is not supported on the platform, then the router will crash with a SegV error. Since any spurious access is inappropriate, spurious accesses always point to a bug.
  You may also want to have a look at below document. 
  http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-120-mainline/15103-spuraccess.html
  In my opinion I think you are hitting a bug here. 
  HTH,
  Nikhil 

• Time Capsule as DHCP Router and DNS server for larger network - too taxing?

  Ok, let me say first that I'm no networking expert, but I have tried to learn a decent amount over the years. I haven't got quite gotten o the level of combing router event logs, though I intend to do that as my next step. My question here though is if my overall network strategy is flawed.
  My setup at home is one that may be a bit more extensive than most users have:
  Cable modem -> Time Capsule -> Multiple gigabit switches (business grade) -> Wired Cat5e throughout the house and 2 Airport Extremes. I don't know how many total wired and wireless clients I have, but it may be between 30 and 40 (only a few are computers with the rest being game systems, networked DVRs, audio streamers, NAS, etc)
  At the moment, the Time Capsule only backs up one machine - a MBP (I have external HDDs connected directly to the desktops). I don't use the TC's HDD for anything else. Also, I have the network configured so that the TC handles DHCP addressing and NAT. The Airport Extremes are in bridge mode.
  For the most part, everything works very well. Internet speeds are good, audio streaming works well, no problems with TC backups, etc. The only issue I've run into are dropouts when streaming video content on the network from one device to another (not form the internet). Basically, the stream will pause and then an error will pop up on screen saying that there was a network problem. Now, I know that the specific devices themselves may have issues of their own, but since it's happened on more than one system, I'm wondering if there is a common network culprit- expecting the Time Capsule to handle its duties especially while it is doing a backup.
  Here are a few thoughts I have:
  1 - From a technical standpoint, I don't know if all client to client network traffic goes through the TC. I was thinking that communication could happen between devices on the same switch without having to go up to the TC and then back down, but maybe I'm wrong. If I am wrong, that certainly is a bottleneck right there. I'm not segregating the video streamers to their own subnet on a new router to isolate the traffic. I'm also not sure if the bottleneck is impacted by static vs dynamic IP addressing. IOW, I don't know if setting the devices up with static IPs would change the flow of traffic to not have to go through the TC (just flow across the switch) or not.
  2 - Long ago in a different network setup, I had allowed the wireless access points to assign IPs. However, I found that doing so sometimes created problems accessing some of those devices from a computer or device on a different subnet. As such, I switched over to having the router connected to the modem do all the IP addressing. Maybe this is a bad idea given the temporary nature that some devices will hop on and off the network.
  3 - Additionally, in the interests of getting better wireless coverage over the whole house, I switched to using 2 airport extremes configured to use the same SSID (so that devices moving around the house wouldn't need to specifically change networks in order to get better signal). I guess I could let one of those 2 handle IP addressing while the other is in bridge mode (pointing to the primary Extreme vs the TC).
  4 - Kind of getting back to the TC as the bottleneck, maybe it shouldn't handle network wide DHCP and NAT duties. If TC backups take network priority, such that other kinds of traffic could hiccup, then I probably need to rethink where the TC should exist in the network. Or, maybe it would be enough to just have the stream sensitive components be on their own subnet.
  I know there are potentially multiple flaws in my current strategy, so any suggestions or attempts at correcting my assumptions would be helpful.
  Thanks!
  Jeff
  Message was edited by: Rgbyhkr
  Message was edited by: Rgbyhkr

  Welcome to the discussions!
  1 - Everything goes through the router when it is setup to handle DHCP and NAT
  2 - You want your main router, the TC, to handle all DHCP and NAT functions. It will handle up to 250+ connections, so 30-40 devices won't be much of a challenge
  3 - Keep both AirPort Extremes in bridge mode to allow the TC to handle the things in #2 above. If you setup an Airport Extreme to give out IP addresses, you'll create a Double NAT issue on your network...which can slow down communications between devices...the thing you are trying to avoid. If you use Xbox live or other interactive services, the online features will not function with a Double NAT on your network.
  4 - You want the TC to handle all DHCP and NAT functions as in #2. I assume that you have no single run of CAT5e more than 300 feet.
  5 - If you want to create separate sub nets correctly (the AirPorts won't allow you to do this as they are designed for basic home networking), you'll need to look at routers for professional and commercial use, like Cisco.
  With as many devices as you have, you may be running out of bandwidth at times. If you only notice the issue during Time Machine backups, and you don't need to backup each hour, take a look at Time Machine Editor to setup backups whenever you like, maybe once a day at 2 AM when things on the network are quiet.
  My suggestions are of course opinions. Hopefully you'll receive some other possibly differing views.

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• I have DHCPand DNS services in a router and I want to install domain controller

  Hello
  I have a sonic wall router managing the DHCP and DNS services for a my network and wanna keep it doing this.
  I have a computer running windows server 2012 standard and installed active directory along with DNS. I also went to the DNS manager of these server and forwarded the DNS addresses of my router.  For some reason I'm not able to join a client computer
  into the DC.
  I got this error:
  An Active directory domain controller (AD DC) for the domain "mydomain.ca"  could not be contacted.
  Is it possible to configure active directory using the DNS and DHCP services of my router? or Am I doing something wrong?
  Can somebody helping me with this matter?
  Thanks.

  Hello,
  if the DNS server on your router is able to provide all required zones, SRV records and options that the DCs require there is no problem using 3rd party DNS servers.
  But I would recommend that you u se the DC as DNS server also and just run the installation during the promotion process.
  All clients MUST use the domain internal DNS servers on the NIC NONE else otherwise you will run into trouble. Internet access will be done via the FORWARDERS on the DNS server properties in the DNS management console on the Windows Server.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• The best router / network set up for wireless and wired combined use

  Shout out to all wireless experts...
  In my home, I have an iBook G4 I would like to 1) link with a wireless capable Brother MFC printer, while simultaneously maintaining the wired connectivity of the iMac already USB connected to same; plus 2) utilize the Internet wirelessly (via the iBook) without adversely affecting the iMac's wired functionality. Make sense?
  I have the preinstalled / bundled AirPort Extreme (404.2) and Bluetooth (1.7.5) software, and imagine this is doable, but I wonder...Which router, and specifically, how to (step by step) do this best without incurring unnecessary bells, whistles or expense?
  I've heard / read about the Belkin F5D8230-4 (mixed opinions), earlier Belkins, plus was advised that any 802.11 b/g was sufficient, but continue to be uncertain as to which way to go...help...

  Shout out to all wireless experts...
  In my home, I have an iBook G4 I would like to 1)
  link with a wireless capable Brother MFC printer,
  while simultaneously maintaining the wired
  connectivity of the iMac already USB connected to
  same; plus 2) utilize the Internet wirelessly (via
  the iBook) without adversely affecting the iMac's
  wired functionality. Make sense?
  I have the preinstalled / bundled AirPort Extreme
  (404.2) and Bluetooth (1.7.5) software, and imagine
  this is doable, but I wonder...Which router, and
  specifically, how to (step by step) do this best
  without incurring unnecessary bells, whistles or
  expense?
  I've heard / read about the Belkin F5D8230-4 (mixed
  opinions), earlier Belkins, plus was advised that any
  802.11 b/g was sufficient, but continue to be
  uncertain as to which way to go...help...
  * I neglected to mention (newbie error) that I use (yes, it's tragic) dial-up service...
  Does that additional fact change things in terms of the recommendations made?
  If so, were I to 'upgrade,' which method (cable, DSL, etc.) is the most efficient, yet least costly?
  iBook G4 (1.4 GHz / 1.5 GB)   Mac OS X (10.4.7)   iMac (9.2); Performa 631CD (Ancient 7.5); MacPlus (Primordial Ooze OS)

• Why doesn't LDAP Priority and Weight change entry in the DNS?

  We have two Windows 2008 servers that are Active Directory Domain Controllers.  They seem to be configured properly, and are talking to each other.
  I want one of the domain controllers to authenticate all of the logins because it's a more powerful box.  I want the second DC to take over if the first goes down.
  I went into the Registry on the old machine, and created two 32 bit Dword registry keys as follows:
  HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
  LdapSrvPriority
  and
  LdapSrvWeight.
  Set these to 5 and 150.  Assumed the default on the faster server was 0 and 100, thus making the newer server the default choice for logon authentication.
  Rebooted server.   Checked DNS, and it still is reporting 0 100 for both servers, and doing an
  echo %LOGONSERVER% on various workstations seems to show that authentication is roundrobining between both servers.
  Why aren't these settings sticking? And why weren't they in the registry when I started?Thanks

  Hi,
  I tested and DNS record changed as expected.
  So please make sure DC you changed point to the DNS that you check. Because there will be some delay before records replicated to another DNS.
  You can also check timestamp of the record if it is the latest change.
  You can trigger a DNS registration manually:
  How To Reregister SRV records of a Domain Controller In DNS Zone
  http://support.microsoft.com/kb/556002
  Hope this helps.

• Configuring Solaris 8 Sparc w/router and cable modem

  I recently purchased a Sun Ultra 10 with Solaris 7
  pre-installed. I decided to immediately upgrade to
  Solaris 8. The operating system has installed properly
  so far.
  However, I'm at the point now where I am entering
  information to allow Solaris to connect to my network
  and thus the Internet, and the combinations I have tried
  don't work.
  I use a cable modem service with a Netgear RT314
  four-port router. It functions in a standard way - the
  cable modem is 192.168.0.1 and shows up on my
  WinXP PC (in ipconfig /all) as the DNS server and
  gateway server. On the PC, for "Connection-specific
  DNS suffix", I see nc.rr.com (my ISP).
  Solaris 8 wants to know my domain name, as well as
  my DNS server. I don't know what domain name to give
  it. I have tried nc.rr.com, but when I enter that plus
  192.168.0.1 as the DNS server, I end up receiving this
  message: ""Unable to find an entry for dchppc3 with the
  specified DNS configuration."
  I have been afraid to move beyond this point, although
  it's possible that it will work properly and just isn't
  receiving the confirmation it expects.
  Any suggestions would be welcome, either in this forum
  or emailed to me. My address is [email protected]
  Thanks.

  I decided to plow ahead with the installation. It works
  properly within my local network - I can ping dchp
  addresses and view Web files from my local server
  using 192.168.0.3 (that machine's dchp address).
  However, it can't get to the Internet. So my problem
  now is that I can see the router, but can't see the
  Internet services that the router provides to the other
  computers on my network. Presumably, I need to
  alter my DNS settings ... however, on my PCs, I seem
  to simply use the router (192.168.0.1) as the DNS, and
  it properly passes the request along to my cable modem
  provider. Why would this work for the PCs but not for
  Solaris 8? Thanks -

• Domain Trust and DNS

  Hello,
  We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain.  Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
  The error is:
  it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
  if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
  DC1
  ----->Forward Lookup Zones
  -------->_Msdcs.ukdomain.local
  -------->ukdomain.local
  I though it should look like this:
  DC1
  ----->Forward Lookup Zones
  ------->ukdomain.local
  --------->_Msdcs
  Thanks

  If you are on their network can you ping their domain?
  If not then you have a DNS, routing, or firewall issue.
  Are ports being blocked?  For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
  Testing
  Domain Controller Connectivity Using PORTQRY
  Protocol and Port
  AD and AD DS Usage
  Type of traffic
  TCP and UDP 389
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP
  TCP 636
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP SSL
  TCP 3268
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC
  TCP 3269
  Directory, Replication, User and Computer Authentication, Group Policy, Trusts
  LDAP GC SSL
  TCP and UDP 88
  User and Computer Authentication, Forest Level Trusts
  Kerberos
  TCP and UDP 53
  User and Computer Authentication, Name Resolution, Trusts
  DNS
  TCP and UDP 445
  Replication, User and Computer Authentication, Group Policy, Trusts
  SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
  TCP 25
  Replication
  SMTP
  TCP 135
  Replication
  RPC, EPM
  TCP Dynamic
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  TCP 5722
  File Replication
  RPC, DFSR (SYSVOL)
  UDP 123
  Windows Time, Trusts
  Windows Time
  TCP and UDP 464
  Replication, User and Computer Authentication, Trusts
  Kerberos change/set password
  UDP Dynamic
  Group Policy
  DCOM, RPC, EPM
  UDP 138
  DFS, Group Policy
  DFSN, NetLogon, NetBIOS Datagram Service
  TCP 9389
  AD DS Web Services
  SOAP
  UDP 67 and UDP 2535
  DHCP
  Note
  DHCP is not a core AD DS service but it is often present in many AD DS deployments.
  DHCP, MADCAP
  UDP 137
  User and Computer Authentication,
  NetLogon, NetBIOS Name Resolution
  TCP 139
  User and Computer Authentication, Replication
  DFSN, NetBIOS Session Service, NetLogon
  If it answered your question, remember to “Mark as Answer”.
  If you found this post helpful, please “Vote as Helpful”.
  Postings are provided “AS IS” with no warranties, and confers no rights.
  Active Directory: Ultimate Reading Collection
  Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
  Kelly Bush
  It appears that you've copied and posted the chart, with some editing,
  from my blog, link posted below. No problem, as long as it helps the poster. :-)
  Active Directory Firewall Ports – Let’s Try To Make This Simple
  http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
  Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
  Here's the matrix:
  Ephemeral Ports:
  And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
  that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
  the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
  TCP & UDP 1025-5000
  Window 2003/XP and older
  Ephemeral Dynamic Service Response Ports
  TCP & UDP 49152-65535
  Windows 2008/Vista and newer
  Ephemeral Dynamic Service Response Ports
  TCP Dynamic Ephemeral
  Replication, User and Computer Authentication, Group Policy, Trusts
  RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
  UDP Dynamic Ephermeral
  Group Policy
  DCOM, RPC, EPM
  If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
  TCP & UDP 1024 – 65535
  NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
  RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Site to Site VPN Problems With 2801 Router and ASA 5505

  Hello,
  I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
  IP scheme at SIte A:
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Site A Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF 
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end
  IP scheme at site B:
  ip     172.19.5.x
  sub  255.255.255.292
  gw   172.19.5.65
  Cisco ASA 5505 at Site B
  ASA Version 8.2(5)
  hostname ASA5505
  domain-name domain.com
  enable password b04DSH2HQqXwS8wi encrypted
  passwd b04DSH2HQqXwS8wi encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.19.5.65 255.255.255.192
  interface Vlan2
  nameif outside
  security-level 0
  ip address SITE B public IP 255.255.255.224
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name iis-usa.com
  same-security-traffic permit intra-interface
  object-group network old hosting provider
  network-object 72.55.34.64 255.255.255.192
  network-object 72.55.33.0 255.255.255.0
  network-object 173.189.251.192 255.255.255.192
  network-object 173.163.157.32 255.255.255.240
  network-object 66.11.1.64 255.255.255.192
  network-object 107.0.197.0 255.255.255.192
  object-group network old hosting provider
  network-object host 172.19.250.10
  network-object host 172.19.250.11
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
  access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
  access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
  access-list 10 extended permit icmp any any echo-reply
  access-list 10 extended permit icmp any any time-exceeded
  access-list 10 extended permit icmp any any unreachable
  access-list 10 extended permit icmp any any traceroute
  access-list 10 extended permit icmp any any source-quench
  access-list 10 extended permit icmp any any
  access-list 10 extended permit tcp object-group old hosting provider any eq 3389
  access-list 10 extended permit tcp any any eq https
  access-list 10 extended permit tcp any any eq www
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  pager lines 24
  logging enable
  logging timestamp
  logging console emergencies
  logging monitor emergencies
  logging buffered warnings
  logging trap debugging
  logging history debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name jab attack action alarm drop reset
  ip audit name probe info action alarm drop reset
  ip audit interface outside probe
  ip audit interface outside jab
  ip audit info action alarm drop reset
  ip audit attack action alarm drop reset
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 75.150.169.48 255.255.255.240 outside
  icmp permit 72.44.134.16 255.255.255.240 outside
  icmp permit 72.55.33.0 255.255.255.0 outside
  icmp permit any outside
  icmp permit 173.163.157.32 255.255.255.240 outside
  icmp permit 107.0.197.0 255.255.255.192 outside
  icmp permit 66.11.1.64 255.255.255.192 outside
  icmp deny any outside
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group 10 in interface outside
  route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
  timeout xlate 3:00:00
  timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http 107.0.197.0 255.255.255.192 outside
  http 66.11.1.64 255.255.255.192 outside
  snmp-server host outside 107.0.197.29 community *****
  snmp-server host outside 107.0.197.30 community *****
  snmp-server host inside 172.19.250.10 community *****
  snmp-server host outside 172.19.250.10 community *****
  snmp-server host inside 172.19.250.11 community *****
  snmp-server host outside 172.19.250.11 community *****
  snmp-server host outside 68.82.122.239 community *****
  snmp-server host outside 72.55.33.37 community *****
  snmp-server host outside 72.55.33.38 community *****
  snmp-server host outside 75.150.169.50 community *****
  snmp-server host outside 75.150.169.51 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 10 match address 110
  crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
  crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto map VPNMAP 10 set security-association lifetime seconds 86400
  crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 172.19.5.64 255.255.255.192 inside
  telnet 172.19.3.0 255.255.255.128 outside
  telnet timeout 60
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd dns 172.19.3.140
  dhcpd wins 172.19.3.140
  dhcpd ping_timeout 750
  dhcpd domain iis-usa.com
  dhcpd address 172.19.5.80-172.19.5.111 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except object-group old hosting provider
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 128.118.25.3 source outside
  ntp server 217.150.242.8 source outside
  tunnel-group 72.00.00.7 type ipsec-l2l
  tunnel-group 72.00.00.7 ipsec-attributes
  pre-shared-key *****
  tunnel-group old vpn public ip type ipsec-l2l
  tunnel-group old vpn public ip ipsec-attributes
  pre-shared-key *****
  tunnel-group SITE A Public IP  type ipsec-l2l
  tunnel-group SITE A Public IP  ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect pptp
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  I have removed the old "set peer" and have added:
  IOS router:
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
  ASA fw:
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  on the router I have also added;
  access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  Here is my acl :
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  Still no ping tothe other site.

• [SOLVED] Problem with Iptables and DNS-resolving

  So I'm changing my iptables default policy from ALLOW to DROP, and are tightening up the rules too.
  However, I'm having troubles with allowing DNS-queries, while keeping things as locked down as possible.
  /etc/resolv.conf
  domain home
  nameserver 192.168.1.1
  Relevant rules:
  # Allow HTTP
  $CMD -A OUTPUT -o wlan0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -p tcp --dport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  # Allow HTTPS
  $CMD -A OUTPUT -o wlan0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  # DNS-related rules
  $CMD -A INPUT -i wlan0 -s 192.168.1.1 -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -s 192.168.1.1 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  $CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  What am I missing here?
  Last edited by graph (2012-03-20 18:36:23)

  Gcool wrote:I'm assuming you just want to allow that box to surf the net?
  Yepyep. Sorry for not mentioning that.
  192.168.1.1 is my router, and when I'm disabling the firewall, everything is working perfectly. This is with 192.168.1.1 as nameserver in /etc/resolv.conf.
  I tried changing my rules to your rules, but I still can't get it to work.
  The following is the output while I'm connecting to www.xkcd.com using elinks:
  Output of tcpdump -n '(port 80 or 443 or 53)'
  without iptables running: pastebin.com
  with iptables running: pastebin.com
  It seems to me that DNS is working properly, and that iptables is blocking port 80, right?
  Last edited by graph (2012-03-20 08:20:44)

• Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server

  Summary:
  After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
  Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
  Configuration:
  Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
  Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
  -> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
  DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
  en0: fixed public IP address -> controller.example.com
  en1: 192.168.1.254 -> controller.cluster
  -> 18 agents with AFP and Xgrid agent activated:
  en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
  VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
  _*Detailed problem description:*_
  After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.201
  Subnet Mask:
  Router: 192.168.1.254
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
  The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
  After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
  Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.202
  Subnet Mask:
  Router: (Public IP address of my VPN server)
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
  I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
  Any help is welcome!!!

  I would suggest taking a look at:
  server admin:vpn:settings:client information:network route definitions.
  as I understand your setup it should be something like
  192.168.1.0 255.255.255.0 private.
  at least as a start. I just got done troubleshooting a similar issue but via two subnets:
  http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0