https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993844#M148300 <P>In my opinion, the only way is to NAT the remote dns server on some dummy ip address and use that ip address for split dns. That way, the anyconnect client will be able to differentiate between the 2 dns servers. Kind of tricky, but should work. NAT needs to be done on the corporate office and split tunnel needs to be modified to send traffic for that dummy ip/network through tunnel.</P> <P></P> <P>HTH</P> <P>-AJ</P> Thu, 22 Dec 2016 10:05:29 GMT Ajay Saini 2016-12-22T10:05:29Z https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993843#M148299 <P>We have a hub &amp; spoke network where branch offices are connected to the corporate office via L2L VPN with ASA's on both sides. There are no Domain Controllers at the Branch offices so DHCP is configured on the ASA with the primary DNS server being an Internal DNS server in the corporate office and the secondary is a public DNS server in case the tunnel goes down. Everything seems to be working with this. The corporate ASA also hosts an SSL VPN for remote clients which is using split-tunneling and split-DNS and this works fine when clients connect from outside of the offices.</P> <P></P> <P>The problem we're having is if a client needs to launch AnyConnect from one of the branch offices. DNS resolution works for the internal DNS domains configured&nbsp;in the split-DNS but it won't resolve external domains. IP traffic gets routed properly and we can ping any address we need to by IP but we can't resolve DNS to those external domains.</P> <P></P> <P>The way things are configured a client in the branch has a primary DNS server located in the corporate network with the address of 10.1.2.3. When the client connects with AnyConnect, his DNS server for that connections would also be 10.1.2.3. With the VPN connected the 10.1.2.3 address would get routed over the SSL VPN. The split-DNS rule tells the client not to use the AnyConnect DNS server but instead use the DNS server attached to the physical network adapter ... it seems like a catch 22. How should I configure this to get external DNS to resolve from the branch offices?</P> <P></P> <P></P> Tue, 12 Mar 2019 08:41:40 GMT https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993843#M148299 meydenbauer 2019-03-12T08:41:40Z https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993844#M148300 <P>In my opinion, the only way is to NAT the remote dns server on some dummy ip address and use that ip address for split dns. That way, the anyconnect client will be able to differentiate between the 2 dns servers. Kind of tricky, but should work. NAT needs to be done on the corporate office and split tunnel needs to be modified to send traffic for that dummy ip/network through tunnel.</P> <P></P> <P>HTH</P> <P>-AJ</P> Thu, 22 Dec 2016 10:05:29 GMT https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993844#M148300 Ajay Saini 2016-12-22T10:05:29Z https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993845#M148303 <P>NAT needs to be done on the corporate office and split tunnel needs to be modified to send traffic for that dummy ip/network through tunnel. This will avoid split brain scenario.</P> Sat, 24 Dec 2016 10:54:38 GMT https://community.cisco.com/t5/network-security/dns-not-resolving-after-launching-vpn-client-using-split-dns/m-p/2993845#M148303 Farhan Mohamed 2016-12-24T10:54:38Z