- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS setup with a site to site IPSEC tunnel
Hi you'll
Been trying this for a while now. In our office we have a HA cluster of 2 92D. I'm running a nettwork there based on MS servers with 2012R2 domain controllers and DNS. I got a couple remote site's connected with 60D boxes. i setup a Ipsec tunnel that works got and very stable. On the remote sites I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to resolve my servers at HQ, Side effekt is that those DNS servers have to resolve all trafikk. I've been trying to sett up DNS server on the 60D boxes so that everything is handled at the local 60D box.
I activated DNS on the internal interface and tried both recursive and non recursive and of course i setup the DNS SERVER on the box to answer for the HQ domain, put op the right IP for the master set type to slave and view as shadow and authoritive to enable.
Doesn't seem to work :( so I most humbly ask for some guidance.
Rene
- Labels:
-
Next Generation Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
internal domains across the tunnel and is also as the recursive resolver
for everything else. Take a look at this. Pretty sure it has been covered
many times.
https://forum.fortinet.com/tm.aspx?m=131231
..there are a couple more up there. Make sure you set the source-ip as
something that is in the tunnel.
Tony Taylor Technical Ninja and Proprietor, Foundation Republic
832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>
On Fri, Jul 22, 2016 at 6:17 AM, rene van v Veen via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:
> Hi you'll
>
> Been trying this for a while now. In our office we have a HA cluster of 2
> 92D. I'm running a nettwork there based on MS servers with 2012R2 domain
> controllers and DNS. I got a couple remote site's connected with 60D boxes.
> i setup a Ipsec tunnel that works got and very stable. On the remote sites
> I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to
> resolve my servers at HQ, Side effekt is that those DNS servers have to
> resolve all trafikk. I've been trying to sett up DNS server on the 60D
> boxes so that everything is handled at the local 60D box.
>
> I activated DNS on the internal interface and tried both recursive and non
> recursive and of course i setup the DNS SERVER on the box to answer for the
> HQ domain, put op the right IP for the master set type to slave and view as
> shadow and authoritive to enable.
>
> Doesn't seem to work :( so I most humbly ask for some guidance.
>
> Rene
>
> -----End Original Message-----
>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://forum.fortinet.com/tm.aspx?m=122203
Conditional Forward is probably what you are looking for.
Tony Taylor Technical Ninja and Proprietor, Foundation Republic
832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>
On Fri, Jul 22, 2016 at 7:52 AM, Tony Taylor via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:
> ...you have to set up spilt DNS. Local resolver that forwards your
> internal domains across the tunnel and is also as the recursive resolver
> for everything else. Take a look at this. Pretty sure it has been covered
> many times.
>
> https://forum.fortinet.com/tm.aspx?m=131231
>
> ..there are a couple more up there. Make sure you set the source-ip as
> something that is in the tunnel.
>
>
>
> Tony Taylor Technical Ninja and Proprietor, Foundation Republic
>
> 832 850 5850 x2500
> 936 827 5472
> Tony@FoundationRepublic.com
> www.foundationrepublic.com
> 723 Main St, Ste 828, Houston Tx 77002
> <http://facebook.com/foundationrepublic>
> <http://twitter.com/jimi_republic>
> <http://linkedin.com/foundationrepublic>
>
>
> On Fri, Jul 22, 2016 at 6:17 AM, rene van v Veen via firewall.public <
> firewall.public@fuse-lists.fortinet.com> wrote:
>
>> Hi you'll
>>
>> Been trying this for a while now. In our office we have a HA cluster of
>> 2 92D. I'm running a nettwork there based on MS servers with 2012R2 domain
>> controllers and DNS. I got a couple remote site's connected with 60D boxes.
>> i setup a Ipsec tunnel that works got and very stable. On the remote sites
>> I use DHCP and need to setup my DNS servers at HQ as the DNS to be able to
>> resolve my servers at HQ, Side effekt is that those DNS servers have to
>> resolve all trafikk. I've been trying to sett up DNS server on the 60D
>> boxes so that everything is handled at the local 60D box.
>>
>> I activated DNS on the internal interface and tried both recursive and
>> non recursive and of course i setup the DNS SERVER on the box to answer for
>> the HQ domain, put op the right IP for the master set type to slave and
>> view as shadow and authoritive to enable.
>>
>> Doesn't seem to work :( so I most humbly ask for some guidance.
>>
>> Rene
>>
>> -----End Original Message-----
>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx for your reply .
I tried it, deleted and tried again to no avail, feel kind of stupid.
Seems that it doesn't find the "DNS server" on the 60D box. i set up as splitt DNS and followed both suggestions. Nothing get's resolved if i use nslookup in the domain (machine.domain.no) when i do a nslookup and specify the DNS server works like a dream. So I'm back to using my DNS server's from HQ provided through DHCP.
As said feel a bit stupid.
Rene
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
going to hit it from. As an example, if you are using "internal" and
clients are able to hit the interface, then this should work. The FGT
itself needs to be able to resolve DNS also if you are wanting it to look
up on behalf of the client.
config system dns-server
edit "internal"
set mode forward-only
next
end
config system dns-database
edit "example.local"
set domain "example.local"
set authoritative disable
set forwarder "192.168.100.50" <-- DNS Server on the other side of
the tunnel
set source-ip 192.168.1.99 <-- Internal Interface that clients can
hit
next
end
Tony Taylor Technical Ninja and Proprietor, Foundation Republic
832 850 5850 x2500
936 827 5472
Tony@FoundationRepublic.com
www.foundationrepublic.com
723 Main St, Ste 828, Houston Tx 77002
<http://facebook.com/foundationrepublic> <http://twitter.com/jimi_republic>
<http://linkedin.com/foundationrepublic>
On Sat, Jul 23, 2016 at 6:57 AM, rene van v Veen via firewall.public <
firewall.public@fuse-lists.fortinet.com> wrote:
> Thx for your reply .
>
> I tried it, deleted and tried again to no avail, feel kind of stupid.
>
> Seems that it doesn't find the "DNS server" on the 60D box. i set up as
> splitt DNS and followed both suggestions. Nothing get's resolved if i use
> nslookup in the domain (machine.domain.no) when i do a nslookup and
> specify the DNS server works like a dream. So I'm back to using my DNS
> server's from HQ provided through DHCP.
>
> As said feel a bit stupid.
>
> Rene
>
> -----End Original Message-----
>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THX Tony.
that did the trick. Suddenly i realised what you meant with source-ip works like a dream now.
PS the DNS-server setting is recursive, forward-only didn't work
Again thx for your help and insight
Rene