I believe you are going to need an actual policy rule allowing the domain-udp with the before last clicked in implied rules. We have the same boxes clicked but need to have a DNS rule before the last rule in the rulebase in order for DNS to resolve over VPN.
Jeremy Lieb CCSE-NGX CCSE+NGX Firewall Administrator -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of No Name Available Sent: Friday, August 31, 2007 8:23 AM To: [email protected] Subject: [FW-1] cannot resolve dns names through site to site vpn Hi all I cannot resolve dns names through a vpn tunnel. I can ping dns server from client. I have ticked option accept domain name over udp before last And accept domain name over tcp before last as well. There is nothing in the excluded service in vpn community. Both vpn gateways anre ngx r61 gateways. Tunnel is up and rest everything is working. Tcpdump output from client side: 14:16:13.921642 I client.1380 > dns server.53: 1+ PTR? Server dns.in-addr.arpa. (40) 0000 xxxxxxx xxxxxxxx xxxxxxxxx 02313501 .............15. 0010 30013002 31300769 6e2d6164 64720461 0.0.10.in-addr.a 0020 72706100 000c0001 rpa..... 14:16:14.196917 O dns server.53 > client.1380: 1* 1/0/0 PTR dns server4.<truncated> (80) 0000 xxxxxxx xxxxxxxxx xxxxxxxx 02313501 .............15. 0010 30013002 31300769 6e2d6164 64720461 0.0.10.in-addr.a 0020 72706100 000c0001 c00c000c 00010000 rpa............. 0030 04b0001c 08686c73 64633031 700b756b .....dns server 0040 3336356f 66666963 6502636f 02756b00 x.co.uk. 14:16:14.198972 I client.1381 > dns server.53: 2+ A? lhrmg01p. (26) 0000 00020100 00010000 00000000 086c6872 .............lhr 0010 6d673031 70000001 0001 mg01p..... 14:16:14.473285 O dns server.53 > client.1381: 2 ServFail 0/0/0 (26) 0000 00028182 00010000 00000000 086c6872 .............lhr 0010 6d673031 70000001 0001 mg01p..... Kind regards Tauseef Khan Infrastructure Team Mob: 07796447091 This electronic message contains information from bet365 Group Limited which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email immediately. Activity and use of the bet365 Group Limited email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. bet365 Group Limited Registered office: Hillside, Festival Way, Stoke-on-Trent, Staffordshire, ST1 5SH Registered in England no. 3958393 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
