On Sat, 2004-07-24 at 18:09, G-Love wrote: > All - > > After much consternation, I was successfully able to install the Cisco > 3000 series VPN client on my FC2 box, with kernel 2.6.7 I had some > problems connecting at first, but that was fixed with a simple addition > to my iptables config file. Here's my current problem (and seemingly my > last hurdle to getting this to work as I need): > > I'm connecting to the VPN server using NAT, as I have a firewall running > on my machine. I can get to all the internal websites with no problem; > however, when I try to ssh to a machine on the internal network, it > simply hangs. When I try to ping the same machine, it times out with > the following message: > > PING: unknown host <hostname.myco.com> > > Then I did a little experiement. I got the IP address of the machine > that I was attempting to connect to, re-established my VPN connection, > then attempted to ssh to the machine using the IP address. Lo and > behold, it worked, and I was able to verify that I was, in fact, > connected to the machine thru my VPN connection (the 3000 series VPN > clients/concentrators allow for split tunnelling). > > SO...it seems as thought name resolution does not work with the VPN > connection enabled. In fact, I can't see (ssh, ping,...) ANY machines > while the VPN connection is active. I tried pinging cnn.com, and that > resulted in the same "unknown host..." message. I'm a bit of a newbie > to firewall configurations, etc, so any help on getting this to work > would be appreciated. I guess using the IP address is an OK workaround > for now, but I'd rather not rely on this method. > > Thanks. > > -greg This is related to another thread here in the last day. I suspect that the VPN client you are using does not have a DNS sever configured or does not have the correct DNS server configured. You validated that you do have network connectivity using the IP addresses. When you establish the VPN connection using the Cisco client software you should end up with some kind of security policy. (I am assuming this software is similar to Checkpoints Secure Remote). As part of that policy is DNS information. The DNS server it points to will resolve all your DNS queries. If for the DNS server is incorrect or unreachable then the query will fail. Are you able to identify a file on your system that contains the policy? I don't remember if Secure Remote encrypted the policy file or not. (I always looked at the file on the firewall side) Even in split tunnel mode with the Checkpoint software all DNS queries went to the one defined in the security policy. It did this since there was no way to differentiate if the request was for a name on the other end of the VPN or not. -- Scot L. Harris webid@xxxxxxxxxx In vino veritas. [In wine there is truth.] -- Pliny