Screen OS

I have a Policy Based Tunnel with Shared Keys and with Static IP Addresses. The tunnel seems to be working fine and I can ping IP Addresses from both subnets.

 

Subnet 192.168.50.0/24 (Site A - DNS Serve located here)

Subnet 192.168.50.10/24 (Site B - Office)

 

I have a tunnel working between both sites and working, I can ping both to the 192.168.50.0 subnet and also ping and access machines via IP Address. I can also ping back to the 192.168.10.0 subnet as well. 

 

I am not sure if this is a routing issue or a policy issue. I have any service between both subnets. I can't use any FQDN's either but when I VPN in I can. I know this is a DNS Issue but not sure if this a problem due to routing or not. 

 

Please advise. 

So is it right to say :

- when you are in Site B, if you try to ping a host by name, it does not work?

 

If so, what is the PC in Site B's DNS server pointing to?

 

If you want the PC in Site B to resolve using the DNS server, I think you have to be setup correctly using DNS proxy.

 

There is an example:

 

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v2.pdf

 

Pg 227 Chpt 8. 

 

It explains how you can split the DNS queries

If so, what is the PC in Site B's DNS server pointing to?

 

Yes the DNS Server is located in Site A (192.168.50.0). I want Site B (192.168.10.0) to resovle domains with that Server. 

Did you configure the DNS proxy as I mentioned in the prev update?

 

You will need the FW to be DNS proxy is thats what you want to do.

The remote firewall is a older NS-100 Software Version: 4.0.0r13.0,doesn't look like it's supported.

 

it's strange that I can't just add the my DNS server 192.168.50.20 that I can ping from 192.168.10.0 subnet and also I can ssh to it but it's not resovling DNS. In our Data Center we have a SSG-550 running Firmware Version: 5.1.0x16. 

 

Any thoughts. 

 

Thanks

in that case, what it the DNS that your PC in Site B pointing to?

I have it set to 192.168.50.20 Primary and Public as secondary. Maybe I should get ride of the secondary.

I think you can just do a nslookup to see which DNS you are actually using:

 

 C:>nslookup
Default Server:  abc.abc.net
Address:  X.X.X.X

Strange it's using the secondary IP Address and not the primary I need to look into this. I will keep you posted. Thanks

So I set only the 192.168.50.20 DNS Server in all my settings and I get the following when I do a nslookup:

 

 *** Can't find server name for address 192.168.50.20: Query refused
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.50.20

 

Not sure what the issue is, here are my policies for the the Tunnel. 

 

set policy id 2 from "Trust" to "Untrust"  "192.168.10.0/24" "192.168.50.0/24" "ANY" Tunnel vpn "Tunnel for 192.168.50.0" id 3 pair-policy 1
set policy id 1 from "Untrust" to "Trust"  "192.168.50.0/24" "192.168.10.0/24" "ANY" Tunnel vpn "Tunnel for 192.168.50.0" id 3 pair-policy 2
set policy id 0 name "Created by policy wizard" from "Trust" to "Untrust"  "Any" "Any" "ANY" Permit 

 

Again I can ping the DNS Server no problem and also ssh to it and ping back into the 192.168.10.0 subnet. 

 

Any thoughts. 

Can you take a look at the DNS server to see if its configured to accept requests from this subnet?

 

I think you need to add the subnet if its not already configured on the server.

 

if you need to check on the FW, you can try to run some debugs as well, follow the KB from Andy:

 

  ;  http://kb.juniper.net/index?page=content&id=KB12208&smlogin=true

 

I read articles that some firewalls can drop DNS Packets due to thier size ever heard this for Juniper.

It may happen if lets say the firewall received a larger packet and after encapsulation, the MTU size is greater than what the interface can support. And lets say this is for TCP packet where the DF bit has been set.

 

In that case, the firewall finds it can not fragment the packet and it may cause the firewall to drop these packets at that point.

 

For DNS however, its UDP traffic where such flags do not come into the picture so I don't really think thats going to apply.

 

I think its probably more beneficial for you to run some debugs (on the firewall) when you are doing an nslookup.

Thats going to tell you exactly where the DNS request was sent eg did the firewall drop the request or anything.

 

 

Problem Resolved, thanks for the help everyone, The firewall was not the problem but we needed to clean up some routes since the DNS was sitting in a different subnet and also add the new subnet to the DNS BIND Server list.

Hi,,

I have problem where I cannot ping local DNS in the same subnet. There is 2 sites:

 

Site A (Data Center)

 

Public IP: 202.77.91.246

Server IP: 10.1.2.10

Local ip: 10.1.2.253/16

 

Site B:

Public ip: Using PPoE (Dynamic)

Local ip: 10.2.1.253/16

 

I create the VPN tunnel between both site and its working. I can ping to 10.1.2.10 but i cannot ping to vmas.oaas.ctx (pointed to 10.1.2.10 server).

 

Hope both of u can share your knowledge since im stil new in this kind of configuration.

Thanks in advance~