Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA- SPLIT Tunnel / SPLIT DNS Question

CUKZAMKH1
Beginner
Beginner

‎02-18-2014 03:44 AM

Hi,

We are deploying ASA 55x5 hardware across the world to provide our mobile "Apple users" with a VPN solution to connect securely to specific resources using the default VPN capabilties of the Apple devices. We don't use anyconnect. So far it has been good.

ISSUE:

Our default VPN setup is that all traffic from device needs to be sent via VPN tunnel when a tunnel is established. This has been working well. We use a MDM solution to provision the Apple devices which then automatically configures the device with both VPN + mailbox, certs, etc.

Our users can access corporate mail when connected just to the Internet using Internet DNS servers for resolution, and SSL-VPN between device and the MDM server to get to the mail servers. We have no issues here. Let us call our MDM server:  mdm.xxx.net with IP x.x.x.x

We find that the devices cannot connect our corporate email system while the VPN is up. The reason is that a VPN connected device resolves the mdm.xxx.net entry using our 'Internal' DNS servers to an internal IP address y.y.y.y .

Normally this should not be a problem but the issue is that due to other technical implementation/design decisions made on other infrastructure, the VPN connected device is not allowed to reach the server through the internal address y.y.y.y

PROPOSED SOLUTION:

Allow VPN connected devices to connect mdm.xxx.net using external address only. Establish Split-Tunnel + Split DNS to allow only the specific server to be sent outside of the tunnel.

PROBLEM:

I think I have setup split-dns + split tunnel according to the docs. The problem is that the VPN connected device still resolves the Internal DNS name.

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host 8.8.8.8

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "Google DNS Server"

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host x.x.x.x

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "mdm.xxx.net" external IP address

     

     group-policy MOBI_users internal

      group-policy MOBI_users attributes

        dns-server value 172.24.1.1 172.24.1.2    

        split-tunnel-policy   excludespecified

        split-tunnel-network-list value SPLIT-TUNNEL-EXCLUDE-LIST

         default-domain value int.xxx.net

        split-dns value mdm.xxx.net

        split-tunnel-all-dns disable

How do I get the device to send DNS resolution traffic + other traffic for only the mdm.xxx.net entry outside the tunnel. I also tried change the DNS server value so that the first DNS server was 8.8.8.8 but it does not seem to work.

Any pointers would be helpful.

Thanks in Advance.

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic