We have ASA5550 (ver. 8.0.4). We setup Split-tunneling. The Remote users were NOT able to access the intranet web server using Cisco VPN client. However, they were able to access other internal resources. We were able to ping the IP address of the Intranet Web server, but we were NOT able to ping by name. Do you have any suggestions?
Yes, what's your internal DNS server? Do you have ANY asigned to the VPN Client via the group policy? When connected, go ahead and type "nslookup" on your CMD of the Remote user, is the dns server showing there the correct one? if not then check your asa settings
We have Corporate office's DNS server setup in Group Policy. The Remote office has their own DNS server. If I type "nslookup", which DNS server is supposed to show? The Corporate office or Remote office.
By the way, the Remote computer is using the DHCP with the private IP address (10.x.x.xxx). But, the DNS server is the public IP address.
I typed NSLOOKUP at the Remote computer. It displayed the Corporate Office's DNS server. Is it correct? If it is NOT correct, how do I correct the problem?
The vpn connection should use the dns that is assigned via the VPN adapter, but I think you might need to enable split dns to make sure that only the traffic that matches a specific internal domain should be tunneled.
Thanks for your response.
The VPN adapter shows the Corporate office's DNS server. When I typed NSLOOKUP, it displayed the Corporate office's DNS server. So, did we setup the DNS server correctly?
We have over 100 Remote offices. Does it mean I need to enter 100 DNS entries for Split DNS?
Typically the split dns entry will contain the dns names that are located on your corporate office, however if you have many remote offices and each of them with different domains each and all of these offices are required to be reached via the vpn client, you might want to consider a different approach if this is not scalable for you.
Thanks for your prompt response. Sorry for posting the question twice. Do you have any other suggestions since it is not possible to put that many domains in Split DNS entry? How about setting up different Group policies?
Thanks for your response and information. The VPN adapter shows the Corporate office's DNS server. When I typed NSLOOKUP, the Remote computer also showed the Corporate office's DNS server. So, does it mean the DNS is setup correctly on the ASA?
We have about 100 Remote offices, do we need to put in 100 DNS servers for Split-DNS? The Remote offices are using Cisco VPN client to connect to us.