03-20-2020 10:10 PM - last edited on 03-24-2020 10:06 AM by Monica Lluis
You can ask your question on your own language:
Español | Português | Français | Русский | 日本語 | 简体中文 |
Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.
This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Friday, March 20 to Friday, April 3, 2020
Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
03-21-2020 11:41 PM
Hi,
Any guidelines for troubleshooting DNS queries ,resolving local dns always giving pain when connected using anyconnet vpn
Thanks
03-22-2020 12:42 AM
Hello,
Are you facing issues with local DNS resolution through the VPN tunnel?
If yes, you can check the group-policy attributes for the specific value.
If you are looking for best practices, you can configure the following three options for DNS with Anyconnect:
You can also check the following link for more clarity on DNS behavior with Anyconnect:
Regards,
Aditya
Please rate helpful posts
03-22-2020 03:30 AM
Hi,
Thanks for the reply
"Split DNS - The DNS queries which match the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not."
When you say " DNS servers that are defined on the ASA" means the DNS server's configured on the ASA firewall or in the tunnel or group policy
The DNS queries which match the domain names, you mean the domain name is configured on the firewall or in the group policy ?
What if we have split domain like test.local and test.com ?
test.com (it's a forward zone in the same test.local dns server (eg:192.168.1.100)
test.com also resolves to private ip addresses
this is my current configuration
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.100
domain-name test.local
Thanks
03-22-2020 08:06 AM
Hello,
All the values would be under the group-policy. You can add multiple values/domains under the group-policy.
03-22-2020 12:27 PM
Hi,
Do we have any options in cisco anyconnect using FTD firewall for blocking non-windows joined machines and allow only domain computers to connect to anyconnect ?
Thanks
Basavaraj
03-22-2020 12:44 PM
Hi Basavaraj,
You can use machine certificate authentication for AnyConnect users to ensure that only domain machines can join. Config guide - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/firepower_threat_defense_remote_access_vpns.html#id_login_via_clientcert
03-22-2020 10:28 PM
03-22-2020 10:55 PM
03-22-2020 11:29 PM
03-22-2020 11:48 PM
03-23-2020 12:27 AM
03-23-2020 07:57 AM
Hi,
If I understand, you are looking to enforce DLP for BYOD users. The best way to do this on the FTD would be to have the BYOD users connect to a separate connection profile/group-policy. I would give this connection a different address pool from the domain users. You can then use application filters on the FTD access policy to block file transfer protocols for the BYOD VPN pool. Keep in mind that FTD is not a true DLP application, but the application filter will help accomplish what you need to do - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/rule_management_common_characteristics.html#id_16281
HTH
03-23-2020 11:02 AM
03-23-2020 03:58 AM
Hi,
Thanks for the reply .
I have tried all split-dns ,standard ,tunnel all dns ... Still I cannot resolve (Dns server is reachable from the server ) . I am using anyconnect 4.8 and asa code 9.2
Please advise
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide