Cisco IOS as DNS server

Dear Community!
Could someone help me to fine-tuning DNS server configuration?
I'm configuring an IOS router act as a DNS server with the following parameters:
ip name-server [IP #1] [IP #2]
ip dns server
ip domain round-robin
ip domain name [domain.net]
The 1st DNS server is a public DNS server accessible from Internet, the 2nd one is a private corporate DNS server accessible from a site-2-site tunnel.
The client PCs at the remote end of the IPSec tunnel should query public DNS names from public DNS server, and the records of our private DNS domain.
Is it possible to configure a "policy" to query corporate DNS domain from a dedicated DNS server, and the other public DNS name from the public one?
Thanks in advance!
Best Regards,
Belabacsi
from Budapest, Hungary

Sure, it's called DNS Proxy. It's not supported on all devices, so you'll have to check.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/800/rn830xc3.htm
DNS Proxy
In virtual private network (VPN), Point-to-Point Protocol over Ethernet (PPPOE), etc. PCs connected to the LAN may get Dynamic Host Configuration Protocol (DHCP) parameters including the IP addresses of the Domain Name System (DNS) server prior to the router connecting to the WAN to get the information over IP Control Protocol (IPCP). The objective with Proxy DNS (or caching-only name server) enables the router to receive DNS queries on behalf of the real DNS servers and proxy for the hosts on the LAN connected users. This enables the DHCP server to immediately send the hosts the router's own LAN address in lieu of the DNS server's IP address. The router forwards the DNS queries from local users to real DNS servers after the WAN connection comes up and caches the DNS records in response. Over the time, cache includes the DNS information most often requested by the local resolvers and this can reduce the overhead of packets to the WAN.
The router must obtain the correct DNS server information from the WAN in order for it to function as a proxy DNS server.
The global configuration command ip dns server enables DNS proxy server functionality on the router, and causes it to forward DNS queries to the actual DNS servers. The global configuration command dns-server address causes the router to respond to DNS queries with its own IP address.
HTH and please rate.

Similar Messages

Cisco 1821 as DNS server

Hello I have a cisco 1821 router acting as remote access for vpnclients, LAN LAN VPN device and also
LAN router. All in one.
My LAN has a 192.168.23.0/24 addressing, and router has 2 IP Addresses, one on public IP on the public interface Fa0/1
and 192.168.203.1 on the private interface Fa0/0
I set up it as a name server for local LAN:
ip dns server
ip host pc10 192.168.203.10
ip host pc83 192.168.203.83
ip host c1821 192.168.203.1
I did this so that local PC on my lan can have a resolution for local addresses since I do not have a DNS server inside my line
and I do not have a Active Directory infrastructure.
on the public IP interface my router can be queried for LOCAL IP resolution for my lan 192.168.203.0/24, I Tryed from outside using dig command.
I Wanted to prevent this. I cannot use an ACL because I would prevent DNS queries to work in general. trying to resolve
an external IP Address from inside my lan, I just want the router to refuse DNS resolution for any query coming to external interface,
while I Want to allow only queries coming form my local lan to internal interface.
is this possible in some way ?
thank you
Riccardo

You are asking your IOS device to act as a split-DNS server, providing RFC1918 addresses on internal interfaces, and global address (or no addresses) on the public inetrface.
Look at the "ip dns view" command so you can present differnt DNS responses by interface.
This article may help:
http://www.nil.com/ipcorner/RouterDNS/

DNS Server in IOS?

Does any version of the IOS include a DNS server? To make a long story short, I just need one record to be resolved on a non-routed subnet and am hoping I have can have a router act as a DNS server.

see the following link for ios dns support for ns records:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ae3.html
(ios 12.2)

Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

Ok Thank you Karsten

Serving static AAAA records with IOS' DNS server

Hi guys,
Has anyone managed to get IOS to serve statically defined AAAA records? I do this just fine with A records as such :
On the router :
ip dns server
ip host ns.example.com 1.1.1.1
ip host somehost.example.com 1.1.1.2
ip dns primary example.org soa ns.example.org [email protected] 21600 900 7776000 86400
From the Linux box :
unixhost$ dig @1.1.1.1 somehost.example.com
; <<>> DiG 9.8.1-P1 <<>> @1.1.1.1 somehost.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32168
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;somehost.example.com.        IN    A
;; ANSWER SECTION:
somehost.example.com.    10    IN    A   1.1.1.2
;; Query time: 1 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Aug 15 00:42:11 2012
;; MSG SIZE rcvd: 50
Interestingly whenever I add a static ipv6 entry, I get the SOA as an answer instead of the actual AAAA record. But from the router itself, it can use the statically defined hosts just fine.
On the router :
ipv6 host somehost.example.com 2001:1:1:1::2
From the Linux box :
unixhost$ dig -t AAAA @1.1.1.1 somehost.example.com
; <<>> DiG 9.8.1-P1 <<>> -t AAAA @1.1.1.1 somehost.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53347
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;somehost.example.com.        IN    AAAA
;; AUTHORITY SECTION:
somehost.example.com.        86400    IN    SOA ns.example.com. [email protected]. 3553994542 21600 900 7776000 86400
;; Query time: 1 msec
;; SERVER: 192.168.200.252#53(192.168.200.252)
;; WHEN: Wed Aug 15 00:42:22 2012
;; MSG SIZE rcvd: 108
But from the router, it works just fine :
router#ping ipv6 somehost.example.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1:1::2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
I'm running 15.2(2)T1.
Thanks,
Eric Lauriault

Hello Everyone,
in case someone runs into this thread: In our case it turned out that the problem was related to the DNS Server service. Regardless of the above configuration settings on the NIC and in the registry, the DNS server will always register in DNS using
all of its IPs that the service is listening on. To change this behaviour you can tell the DNS service to only register individual IPS in the registry:
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
      Add a Reg_Multi_SZ called "PublishAddresses" and specify the list of IPs
In our case we added just one of the three configured IPs and from then on the server only registered this address and not the other ones.
Regards
HarryNew

DNS Server on IOS

Hi,
I'm trying to configure a router as DNS server without "luck".
I've tried various things:
ip domain name net.sub.tld
ip name-server 8.8.8.8
ip host r1.net.sub.tld
ip dns server
ip dns primary net.sub.tld soa ns.net.sub.tld mailbox.net.sub.tld 21600 900 7776000 86400
I can do lookups on the router, but through the router I can't.
After I've done a lookup on the router and it gets the reply, it enters it in the hosts table (show hosts). NOW clients are able to resolve only this entry.
Local entries in the zone net.sub.tld works perfectly!
Any suggestions?
I've also tried to configure forwarder and source interfaces in the ip dns view default, but it's all the same.
The platform is a 1921 running IOS Version 15.1(4)M7
Thanks,
/JZ

Hi Jacob,
I dont know about it will work on router or not
But here are the steps:
1. enable
2. configure terminal
3. ip dns server
4. ip name-server server-address1 [server-address2...server-address6]
5. ip dns server queue limit {forwarder queue-size-limit | director queue-size-limit}
6. ip host [vrf vrf-name] [view view-name] hostname {address1 [address2 ... address8] | additional address9 [address10 ... addressn]}
7. ip dns primary domain-name soa server-name mailbox-name [refresh-interval [retry-interval [expire-ttl [minimum-ttl]]]]
8. ip host domain-name ns server-name
to check more please check this document.
Hope it helps.
Regards
Dont forget to rate helpful posts.

Dns-server / dhcp cisco 1700

Hi,
I wonder if i may run a few questions past you guys. We have a Cisco 1700 at one of our sites which is supposed to be managed but due to problems with the third party company i had to go there to perform some work.
I wanted to add in a dns server ip. Because i don't have the enable secret (Third PTY won't tell us) i used the break command normally used for password recovery. then once in used "copy start run".
Q. can i make config changes this way, save the changes then switch the config-register back and reload?
I managed to make the changes - Dhcp pool - dns-server ip's, right? changed the config-reg back and reloaded. No connectivity. anyway i messed around with different ip's eventually put it back to to original powered of for 5 mins and on again and it was ok.
Q: have i missed something out?
Q: could reloading or powering off and on to quickly affect thigs?
Q: Could the router be downloading it's config or something additional from a TFTP server? Is there anything i can check to confirm this on the config?
This is the dns part of the config all i want to do is change 1.0.84.187 for 84.33, should be simple?
ip dhcp pool 0
network 172.16.0.0 255.255.0.0
default-router 172.16.0.15
dns-server 1.0.84.8 1.0.84.187 158.152.1.43 158.152.1.58
domain-name parkside.net
lease infinite
Q: Is this part saying that 1.0.84.187 and 158.152.1.43 are not being used for dns?
no ip domain lookup
ip name-server 1.0.84.187
ip name-server 158.152.1.43
ip cef
no scripting tcl init
no scripting tcl encdir
Sorry i know thats long winded. Any help on any part of my problem would be much appreciated.
Kind regards
J mac

Hello,
check for any lines starting with ´boot´ in the upper part of the configuration, it is very well possible that the router is configured to boot a specific file, or from a TFTP server.
Regarding the change of the DNS server IP address, in DHCP pool configuration mode, first delete the existing line:
no dns-server 1.0.84.8 1.0.84.187 158.152.1.43 158.152.1.58
and reenter it:
dns-server 1.0.84.8 1.0.84.33 158.152.1.43 158.152.1.58
The DNS servers specified with the ´ip name-server´ command are used for non-DHCP clients.
Regards,
Nethelper

Cisco 877W acting a a DNS server. Does it answer external DNS queries coming from the WAN

Hello,
I have a Cisco 877W running on my ADSL2+ service at home.
It is setup to act as a DNS server to answer DNS queries for my LAN and has the below commands as part of its configuration
ip dns server
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 8.8.8.8
My question is, when I scan my WAN IP for open ports, port 53 (DNS) is open. Does this mean my router will be acting as a DNS server for anyone on the internet who directs DNS queries to my WAN IP?
If so, am I able to turn off port 53 towards the Internet, or do I need to add an an access-list to only accept queries from my internal network.
Thanks for your feedback.

That's correct. The "ip dns server" command will answer queries on any interface.
Given that your DHCP server is telling your clients to use Google DNS and not your router, I would just turn the router's DNS server off with the "no ip dns server" command.
Setting up an ACL (and/or inspection or zone-based firewalling) on your Internet-facing interface is the best practice to protect your network in general, not just to prevent external DNS queries.

Cisco 28xx easy vpn server & MS NPS (RADIUS server)

Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
   description profile for remote access VPN
   match identity group ra1grp
   client authentication list rausrs
   isakmp authorization list ragrps
   client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
   description profile for remote access VPN via RADIUS
   match identity group EasyVPN
   client authentication list VPN-XAUTH
   isakmp authorization list VPN-GROUP
   client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface         [157] 14
RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name           [1]   9   "EasyVPN"
RADIUS: User-Password       [2]   18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
RADIUS: NAS-Port            [5]   6   1
RADIUS: NAS-Port-Id         [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type        [6]   6   Outbound                  [5]
RADIUS: NAS-IP-Address      [4]   6   192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
    ИД безопасности:            domain\VladimirK
    Имя учетной записи:            VladimirK
    Домен учетной записи:           domain
    Полное имя учетной записи:   domain.local/Users/VladimirK
Компьютер клиента:
    ИД безопасности:            NULL SID
    Имя учетной записи:            -
    Полное имя учетной записи:    -
    Версия ОС:            -
    Идентификатор вызываемой станции:        -
    Идентификатор вызывающей станции:       aaa.bbb.ccc.137
NAS:
    Адрес IPv4 NAS:        192.168.11.1
    Адрес IPv6 NAS:        -
    Идентификатор NAS:            -
    Тип порта NAS:            Виртуальная
    Порт NAS:            0
RADIUS-клиент:
    Понятное имя клиента:        Cisco2821
    IP-адрес клиента:            192.168.11.1
Сведения о проверке подлинности:
    Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
    Имя сетевой политики:        Подключения к другим серверам доступа
    Поставщик проверки подлинности:        Windows
    Сервер проверки подлинности:        DC01.domain.local
    Тип проверки подлинности:        PAP
    Тип EAP:            -
    Идентификатор сеанса учетной записи:        -
    Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
    Код причины:            66
    Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.

Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts**

IOS SLB dns probe

Hi,
I'm trying to configure a DNS probe using IOS SLB, but it's not working.
I followed the manual on how to configure a DNS probe, but it just doesn't make any sense.
When using DNS probes on an ACE, you give a hostname which the DNS server should resolve to a configured IP Address.and configure an ip address, which makes sense.
On the IOS SLB, it is not the case. Two variables can be configured:
Router(config-slb-probe)# address ip-address]
(Optional) Configures an IP address to which to send the Domain Name System (DNS) probe.
Router(config-slb-probe)# lookup [ip-address]
(Optional) Configures an IP address of a real server that a Domain Name System (DNS) server should supply in response to a domain name resolve request.
What am I missing. Could someone please clearify??
Tnx!

To verify that a probe is configured correctly, use the show ip slb probe command:
Router# show ip slb probe
It may help you in troubleshooting purpose
For the further description for configuration for the DNS Probe following guide may help you
http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2za/feature/guide/slbza5.html#wp2434837

DHCP issue on Cisco IOS router

Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41:   DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41:   DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41:   DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02:   DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02:   DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02:   DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
Thanks

Hi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low)    : 100 / 0
Subnet size (first/next)       : 0 / 0
Total addresses                : 126
Leased addresses               : 47
Pending event                  : none
1 subnet is currently in the pool :
Current index        IP address range                    Leased addresses
a.b.c.118        a.b.c.1      - a.b.c.126     47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
   network a.b.c.0 255.255.255.128
   default-router a.b.c.1
   dns-server 207.172.3.8 207.172.3.9
   domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
a.b.c.19        0168.7f74.6260.9b       Mar 23 2011 01:56 PM    Automatic
a.b.c.52        0100.4854.897d.17       Mar 23 2011 12:53 PM    Automatic
a.b.c.56        0100.4063.e7b5.b2       Mar 23 2011 03:33 PM    Automatic
a.b.c.57        0100.1b63.f246.8c       Mar 23 2011 03:34 PM    Automatic
a.b.c.68        015c.5948.0b97.d6       Mar 22 2011 05:59 PM    Automatic
a.b.c.69        0168.7f74.626d.67       Mar 23 2011 07:07 AM    Automatic
a.b.c.70        0198.fc11.5027.1d       Mar 22 2011 07:04 PM    Automatic
a.b.c.71        01dc.2b61.04ba.af       Mar 22 2011 10:26 PM    Automatic
a.b.c.72        017c.c537.58e6.64       Mar 22 2011 08:37 PM    Automatic
a.b.c.73        017c.6d62.3303.57       Mar 23 2011 03:54 AM    Automatic
a.b.c.74        0124.ab81.cda4.68       Mar 23 2011 05:01 AM    Automatic
a.b.c.75        0100.1e52.8f11.a5       Mar 23 2011 02:47 PM    Automatic
a.b.c.76        0100.264a.5fc8.e3       Mar 23 2011 07:13 AM    Automatic
a.b.c.77        017c.6d62.38cd.40       Mar 23 2011 02:06 PM    Automatic
a.b.c.78        0100.1d4f.f647.79       Mar 23 2011 02:37 PM    Automatic
a.b.c.79        0100.26b0.8637.3d       Mar 23 2011 01:16 PM    Automatic
a.b.c.81        0130.694b.e9de.82       Mar 23 2011 03:19 PM    Automatic
a.b.c.82        0100.21e9.6864.80       Mar 23 2011 12:04 PM    Automatic
a.b.c.83        0124.ab81.63e6.b5       Mar 23 2011 09:38 AM    Automatic
a.b.c.84        0100.16b6.0455.c2       Mar 23 2011 09:42 AM    Automatic
a.b.c.85        0100.1302.4c96.9e       Mar 23 2011 09:49 AM    Automatic
a.b.c.86        0140.a6d9.741c.e0       Mar 23 2011 12:12 PM    Automatic
a.b.c.87        0100.264a.b8e9.50       Mar 23 2011 10:16 AM    Automatic
a.b.c.88        0140.a6d9.4911.67       Mar 23 2011 03:19 PM    Automatic
a.b.c.89        013c.7437.1e32.96       Mar 23 2011 10:27 AM    Automatic
a.b.c.90        01d8.3062.689c.4b       Mar 23 2011 11:55 AM    Automatic
a.b.c.91        0158.946b.4df8.bc       Mar 23 2011 10:49 AM    Automatic
a.b.c.92        0100.2215.7368.26       Mar 23 2011 10:23 AM    Automatic
a.b.c.93        0100.23df.76ea.90       Mar 23 2011 02:33 PM    Automatic
a.b.c.94        0124.ab81.708d.83       Mar 23 2011 03:58 PM    Automatic
a.b.c.95        0100.1cb3.163d.5a       Mar 23 2011 03:13 PM    Automatic
a.b.c.96        01cc.08e0.2aeb.96       Mar 23 2011 01:27 PM    Automatic
a.b.c.97        0188.c663.d0d0.55       Mar 23 2011 01:57 PM    Automatic
a.b.c.98        0100.1b77.08bb.89       Mar 23 2011 01:15 PM    Automatic
a.b.c.99        0100.1ec2.47d7.19       Mar 23 2011 12:43 PM    Automatic
a.b.c.102       0100.1310.8e74.78       Mar 23 2011 12:41 PM    Automatic
a.b.c.103       0100.24d6.58b0.82       Mar 23 2011 01:44 PM    Automatic
a.b.c.104       0100.2608.7df2.68       Mar 23 2011 03:23 PM    Automatic
a.b.c.106       01c8.bcc8.1a86.41       Mar 23 2011 03:56 PM    Automatic
a.b.c.107       01a4.6706.1e54.94       Mar 23 2011 04:08 PM    Automatic
a.b.c.108       017c.c537.46ac.0e       Mar 23 2011 02:41 PM    Automatic
a.b.c.111       0100.037f.0ea2.19       Mar 23 2011 02:47 PM    Automatic
a.b.c.112       01d8.3062.75c5.9c       Mar 23 2011 03:33 PM    Automatic
a.b.c.113       0021.9116.449e          Mar 23 2011 03:36 PM    Automatic
a.b.c.114       0100.1ff3.46d9.a9       Mar 23 2011 03:40 PM    Automatic
a.b.c.116       0104.1e64.4a0d.a3       Mar 23 2011 04:21 PM    Automatic
a.b.c.117       0190.27e4.4ae8.94       Mar 23 2011 04:24 PM    Automatic
Thanks!

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
   functions svc-enabled
   mask-urls
   svc address-pool "SSLVPN_OFFICE1"
   svc default-domain "domain.internal"
   svc keep-client-installed
   svc split include 192.168.0.0 255.255.0.0
   svc dns-server primary 192.168.53.33
   svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
      offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
      offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
      offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

Internal DNS server and NAT routing issue.

Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
Thanks

Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

How to set up loopback# as source fro NTP and/or built-in DNS server ?

I have created a loopback# interface which I would like to be used as the router source interface for the NTP client and/or built-in DNS server so everything originating whithin the router has only one and unique IP address (such as: logging source-interface Loopback#)
The documentation explains how to create virtual interfaces but I cannot find how to associate them to the mentioned services except logging.
IOS is 12.4.15T.9

For DNS, maybe this would do the trick:
! (from DNS view configuration mode)
dns forwarding source-interface [Vlan10]

How to create A record on DNS server

How do i create an A record on the DNS server (windows server 2008) that would resolve into two ip addresses: PUB & SUB ip addresses respectivly, to enable EM redundancy in Cisco Unified Communications Manager 6.1.
Right now when the PUB failover to the SUB the EM does not work. the Phone services as well as the global directory does not work. the CUCM is fully integrated to LDAP.
Cisco recomends using an SLB but right now i am trying to use the DNS option. what i need now is how to create the A record on the DNS that would resolve into the two ip address of the PUB and SUB.

You can do this but your results won't be quite as expected. I've played around with this and you'll see that the request for when you press the services button will go to server A, then when you click on the EM service your request will go to server B, then the login back to server A even though you started the login session with server B and back and forth, then with the authentication information, etc. Also DNS doesn't know about the state of your servers. If a server is down you'll still have issues if the name resolves to the down IP address. As far as I've seen DNS will always round robin with multiple records for the same name (unless you use an SRV record).

Cisco IOS as DNS server

Similar Messages

Maybe you are looking for