Answer the question
In order to leave comments, you need to log in
V
V
Valery2014-09-29 11:02:12
Valery, 2014-09-29 11:02:12
How to correctly set the external DNS for Cisco?
There is a domain network 192.168.5.0\24, there are also VPN clients that connect to Cisco.
192.168.5.111 is the domain controller.
On the cisco itself, the DNS server was raised and two external Yandex DNS were registered.
To enter a computer into a domain, it needs to register the first DNS 192.168.5.111, and the second one already has a tsiska 192.168.5.1.
In my opinion, such a scheme is flawed and miserable. I want that there would be one single DNS and that it could be accessed from the Internet at an external address.
As an option, disable the dns server on the cisco and set name-server 192.168.5.111. But how to make it so that the external port could access the domain controller? (Windows always refuses to enter the domain if the first DNS is not DNS domain)
The config itself
Current configuration : 3840 bytes
!
! Last configuration change at 11:29:02 Russian Mon Sep 29 2014
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router0
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone Russian 10 0
!
!
!
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.1 192.168.5.20
ip dhcp excluded-address 192.168.5.50
ip dhcp excluded-address 192.168.5.111
ip dhcp excluded-address 192.168.5.112
!
ip dhcp pool LAN
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.5.1
!
!
!
ip domain name cisco
ip name-server 77.88.8.2
ip name-server 77.88.8.88
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
ip inspect name INSPECT_OUT sip
ip inspect name INSPECT_OUT router
ip inspect name INSPECT_OUT pptp
ip inspect name INSPECT_OUT tcp router-traffic
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group ZENIT
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
license udi pid CISCO881-K9 sn ххх
!
!
archive
log config
logging enable
hidekeys
username admin privilege 5 secret 5 ххх
username vadim privilege 5 secret 5 ххх
username enginee privilege 5 secret 5 ххх
username vpn privilege 0 password 7 ххх
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description ==INTERNET==
ip address х.28.110.78 255.255.255.252
ip access-group FIREWALL in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect INSPECT_OUT out
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1436
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool ZENIT
no keepalive
ppp authentication pap
!
interface Vlan1
description ==LAN==
ip address 192.168.5.1 255.255.255.0
ip access-group FIREWALL_OUT in
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
!
ip local pool ZENIT 192.168.5.200 192.168.5.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source static tcp 192.168.5.112 4888 interface FastEthernet4 4888
ip nat inside source static tcp 192.168.5.112 3389 interface FastEthernet4 3389
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 х.28.110.77
!
ip access-list extended FIREWALL
permit tcp any any eq 22
permit icmp any any
permit tcp any any eq smtp
permit tcp any any eq pop3
permit udp any any eq 110
permit tcp any host х.28.110.78 eq 3389
permit tcp any host х.28.110.78 eq 4888
permit tcp any any eq 6969
permit tcp any any range 6881 6889
ip access-list extended FIREWALL_OUT
permit ip any any
ip access-list extended NAT_ACL
permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended PORT_ACL
permit udp host 192.168.5.112 any eq 3389
permit tcp host 192.168.5.112 any eq 3389
permit tcp host 192.168.5.112 any eq 4888
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
!
end 3 answer(s)
@bk0011m
@dubidrubi
@eevdokimov
S
Sergey, 2014-09-29 @bk0011m
Bad thought. It is impossible to make the domain controller "EXTERNAL" DNS. It should only be internal! For the outside, keep a separate
D
dubidrubi, 2014-10-01 @dubidrubi
For these purposes, a separate NS server is allocated in the DMZ. On the router, configure another interface that will look in the DMZ. You also place your external NS there. Configures zone based firewall and nat appropriately. Here you can read more - www.cisco.com/c/en/us/products/collateral/security...
E
eevdokimov, 2014-10-09 @eevdokimov
In ACL'e VPN'a register a permit to a host with DNS and there will be happiness.
Similar questions
D
A
M
E
O
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question