This article will show how to configure a DNS server on a remote VPN in Nebula Cloud Center (NCC). Maybe you have specific resources on a local domain in your headquarter firewall and want to reach them from the remote sites (branches). Then you need to configure the DNS Domain Zone Forwarder and test with NSLookup.
Disclaimer! This might not work 100% of the time, this all depends on the type of scenario and configuration beyond the firewall.
Topology:
1) Configure "This Gateway" as the DNS server for the Branch Firewall
Make sure the DNS server is located on the same remote subnet as the VPN remote subnet.
Start with setting the DNS server to "this gateway" as the first DNS server on LAN.
Navigate to
Site-wide > Configure > Firewall > Interface
This is because the DNS requests will go to the firewall, and then the firewall has to take care of that DNS request, and in the next step, you will configure where the firewall should forward such DNS requests (Domain Zone Forwarder).
2) Configure the DNS server in the firewall settings
Navigate to Firewall -> Configure -> Firewall Settings and add a new Domain Zone Forwarder to forward the domain to the DNS server through the VPN through the already automatically configured "auto" interface and hit "save".
Navigate to:
Site-wide > Configure > Firewall > Firewall Settings
3) Test the Result
Run NSlookup on a PC connected to the Branch LAN to see if you can resolve the Domain name.
nslookup example.local
4) If something goes wrong
If you cannot resolve your DNS server with nslookup, you could try this below.
a) Create a policy route
It could be that the DNS server is not in the correct remote subnet and therefore, needs to be manually routed with a policy route.
Create a policy route, that routes the source subnet (lan1) to the destination where the DNS server is located and configure the next-hop to be the VPN tunnel.
b) Ping DNS Server
You can try to ping the DNS server from a client PC to see if you can even reach it from the local subnet
ping 172.10.10.12
If that doesn't work, try to ping it from the firewall to see if it's routed through the VPN tunnel. If it's not routed, try solution "a" to see if the policy route could help here.
c) Packet trace
If none of the above work, you can do a packet trace on the local firewall as well as the remote firewall.
Either by capturing ESP packets on WAN (if there is no traffic in the tunnel), or in ICMP packets in local & remote lan. Look at this article on how you could capture packets on your firewall(s):
Comments
0 commentsPlease sign in to leave a comment.