cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
690
Views
0
Helpful
18
Replies

Upgrade from PIX to ASA 5510. VPN not working properly

ewellsie07
Level 1
Level 1

After upgrading a client from a PIX 501 to an ASA 5510, I'm having problems with the VPN and specifically the hostnames for the internal devices.

Once active, the VPN on the ASA works perfectly fine by IP, but not by hostname.

If I edit the hosts file on the local machine, the hostname works fine, but that's not a feasible option to do for every machine that requires VPN access.

Can anyone check my config and see if I'm missing anything?

Thanks.

EDIT: It's not shown in that config, but the assigned DNS server for both VPN's is the 192.0.0.2 IP, which is the ****DC01 device.

18 Replies 18

Put the ASA back into the live environment yesterday and spent a few hours chasing down the problem, using Wireshark.

I was able to get it to work fine on my test laptop, however the client's laptops weren't working still.

After capturing the packets with Wireshark, I realized that the DNS requests from their laptops were querying to hostname.townof********.gov instead of hostname.********.local so the DNS queries were not being answered.

Not really sure why it was doing that, as the .gov is their public website address, and the *********.local is their domain. They are actually two different domain names.

If I pinged/nslookup the FQDN of hostname.********.local then I would get a response.

The temporary solution is that we created a batch file with a delay to automatically map drives to the FQDN servers after the VPN has connected.

I'd like to figure out why it's not querying the correct domain though, but ultimately it appears it may not have been an ASA problem at all.

Do you already have the default-domain value specified under the group-policy? If you specify that, it should use the .local. However, if you are using split-tunneling, it *may* use the physical adapter first. One thing you can try is changing the binding order of the adapters, so the VPN client adapter is at the top. To do this, open Network Connections -> Advanced -> Advanced Settings, and put the adapter for the Cisco VPN client at the top (it should be one of the ones labeled as Local Area Connection). Make sure you verify you're moving the correct one to the top. See if that fixes the issue.

Yes, the default domain value is specified as ********.local and it works correctly on my test laptop, even after I joined it to the client's domain similar to their laptops.

We didn't previously have split tunneling enabled, but I just enabled it this morning after we figured out the other issue.

Then I would recommend changing the binding order on the adapters in Windows, and see if that does it.

Also, you can add a split-dns value using the .local domain, so all .local DNS requests will be sent over the tunnel. This is if you're using split-tunneling.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: