Options
Issue on VPN Clients registering their home network IP address on the DNS server
BroadcastStorm
Member Posts: 496
in CCNP
Hey guys, I decided to create a new thread in regards to an issue I am having with our VPN 3000 Concentrators, I included the last thread since the title is and description is vague.
http://www.techexams.net/forums/ccnp/57576-vpn-3000-concentrator-users.html
History: VPN clients connecting to VPN 3000 concentrators, gets an IP Address from a Windows 2003 DHCP Server, they are assigned 192.168.30.x IP address.
Problem: VPN clients is registering their private IP address of 192.168.1.x (typical private IP/DHCP range they obtain from their "home" network/router)
is registering their hostname into the corporate DNS server, as a result some of the device is throwing errors, because of multiple A records pointing to the same IP address.
Example:
Hostname/IP Address
Server1 - 192.168.1.101
User1 - 192.168.1.101
User2 - 192.168.1.101
I've attempted to modify configuration on our DHCP server I tested and I though it worked for a little bit, but after checking this morning I saw some duplicate DNS A records again, I tried searching options on the DNS 3000 concentrator, and the powerful google, but did not get any results.
I would appreciate help or advise from the experts
http://www.techexams.net/forums/ccnp/57576-vpn-3000-concentrator-users.html
History: VPN clients connecting to VPN 3000 concentrators, gets an IP Address from a Windows 2003 DHCP Server, they are assigned 192.168.30.x IP address.
Problem: VPN clients is registering their private IP address of 192.168.1.x (typical private IP/DHCP range they obtain from their "home" network/router)
is registering their hostname into the corporate DNS server, as a result some of the device is throwing errors, because of multiple A records pointing to the same IP address.
Example:
Hostname/IP Address
Server1 - 192.168.1.101
User1 - 192.168.1.101
User2 - 192.168.1.101
I've attempted to modify configuration on our DHCP server I tested and I though it worked for a little bit, but after checking this morning I saw some duplicate DNS A records again, I tried searching options on the DNS 3000 concentrator, and the powerful google, but did not get any results.
I would appreciate help or advise from the experts
Comments
-
Options
tiersten
Member Posts: 4,505
I'd assume this is some sort of configuration issue with your DNS server and nothing to do with the VPN client or the VPN box. By default, Windows has the option to register that host in the configured DNS server enabled in each of the network interfaces. Getting all the end users to change that option is going to be like herding cats so that is out already. There must be something in the DNS server which will reject attempts at registering hosts. -
OptionsBroadcastStorm
Member Posts: 496
I'd assume this is some sort of configuration issue with your DNS server and nothing to do with the VPN client or the VPN box. By default, Windows has the option to register that host in the configured DNS server enabled in each of the network interfaces. Getting all the end users to change that option is going to be like herding cats so that is out already. There must be something in the DNS server which will reject attempts at registering hosts.
Thanks for the response, I was thinking something along the lines of prohibiting VPN client from ultimately registering to the corporate DNS server, I am still trying to figure out what repercussion this might cause the user.
But I wanted to ultimately have the VPN 3000 Concentrator also act as the DHCP server and disable DHCP from updating it's client list to the DNS server. -
OptionsBroadcastStorm
Member Posts: 496
I went ahead and modified DHCP settings on the Windows 2003 Server for 192.168.30.x (vpn clients DHCP pool) by prohibiting it from registering to the DNS server, the problem here is the vpn clients is registering their home IP of 192.168.1.x, I'll find out if it works and inform everyone.
Thanks! -
OptionsBroadcastStorm
Member Posts: 496
This didn't worked after I had a user test it out.
But I think I might have a good solution, put the computer accounts of vpn clients on windows into an OU, and apply a GPO prohibiting them from ever updating their DNS records.
As far as the 192.168.1.x I cannot disable DNS updates, for we have local clients dynamically updating their DNS records. -
OptionsBroadcastStorm
Member Posts: 496
Hey guys just want to update everyone, on the solutions that I implemented, planning on implementing
1. Applied GPO and target vpn client computer accounts, disabled DNS registration on their machine, this one worked but it's more like a band aid.
2. Planning on applying some ACL along this lines
access-list default-filter deny ip object-group default-vpn-pool object-group dyndns