This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS through vpn over NAT

Hi @all,

I've got a quite big problem in my
*irony mode on* secret favorite topic => DNS *irony mode off* [:D]

We are using a special natted Site-to-Site VPN, described in the german Board: https://community.sophos.com/products/unified-threat-management/astaroorg/f/68/t/62093

Well, the Tunnel works fine (although I did not get any reply). I'm able to access the remote Server/shares and Websites. BUT (and this is a quite big BAD): we can only connect the server using IP Addresses becaus DNS is not working.
So I created two Request Routing Rules and added the remote DNS Server in the "Forwarders" Section in DNS Tab like BAlfson wrote in another Thread (Thx for that ;-) )

If I add a static DNS entry for one remote server, I'm able (hardly surprising..) to resolve this name.

Here is a diagram from Cisco that matches exactly my situation (but the IP addresses). just to get a better view:

Any ideas? Hope so.. [:)]

Regards

This thread was automatically locked due to age.

Parents

0 scorpionking over 11 years ago

Might be.

We need to know more about your NAT rules regarding this connection...
Cancel
Vote Up 0 Vote Down

Cancel
0 Webmaschder over 11 years ago in reply to scorpionking

Might be.

We need to know more about your NAT rules regarding this connection...

ok, let me try to translate the german text.
I will use the IP addresses from the diagram.

local net: 192.168.100.0/24
DMZ (oder fake-LAN): 172.20.1.0/24
remote Lan: 172.22.1.0/24

Site-to-Site VPN: "local Network": 172.20.1.0/24 "local Interface": WAN Interface and "remote Network": 172.22.1.0/24
automatic Firewall rules enabled

I've created a SNAT rule 192.168.100.0/24 -> Any -> 172.22.1.0/24 source translation: 172.20.1.1/24
and the DNS entries above.

additionally I added the IP Address 172.20.1.1 to local ASG-Interface.

That's all.
I'm able to access the remote Server via IP Address but not via FQDN

I followed this Article: How to tunnel between two ASGs having the same LAN network range
and this Threads: http://www.astaro.org/gateway-products/vpn-site-site-remote-access/47641-vpn-2-networks-same-internal-ip.html
http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/49196-natting-fake-lan-vpn-tunnel-problem.html

I know, this is a quite confusing environment but unfortunately there is no other way...
Cancel
Vote Up 0 Vote Down

Cancel
0 scorpionking over 11 years ago in reply to Webmaschder

I've created a SNAT rule 192.168.100.0/24 -> Any -> 172.22.1.0/24 source translation: 172.20.1.1/24

Typo or did you really create a network object with this address?

Any entries in firewall and ips log (if used)?

edit: By the way: is the DNS Server configured to allow DNS requests from your "fake" network?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 scorpionking over 11 years ago in reply to Webmaschder

I've created a SNAT rule 192.168.100.0/24 -> Any -> 172.22.1.0/24 source translation: 172.20.1.1/24

Typo or did you really create a network object with this address?

Any entries in firewall and ips log (if used)?

edit: By the way: is the DNS Server configured to allow DNS requests from your "fake" network?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Webmaschder over 11 years ago in reply to scorpionking

Typo or did you really create a network object with this address?

no, that's correct. I added this address to the local interface as additional address. Without this address I cannot use the SNAT rule and the 1:1 rule is not working.
the whole tunnel ist working BUT DNS. [:)]

Any entries in firewall and ips log (if used)?

IPS is disabled for the fake and the remote net. no entries for local net.
no entries in the firewall log (except the success entries: "used NAT#4" "used Firewall rule #18" ...)

edit: By the way: is the DNS Server configured to allow DNS requests from your "fake" network?

sure. both (fake net AND remote net remote net) are listed.
Cancel
Vote Up 0 Vote Down

Cancel