Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2878
Views
0
Helpful
2
Replies

IPSec Client split tunnel doesn resolve external DNS; AnyConnect does

elpollodiablo
Level 1
Level 1

‎07-26-2011 03:45 PM - edited ‎02-21-2020 05:28 PM

So I'm banging my head on this one.

I have both an IPSec and AnyConnect profile on a single ASA.  Both are set to use the DfltGrpPolicy, which defines some of our internal DNS domains, and is set to tunnel a network list.  I created an Extended ACL to define which networks I wanted to allow to the clients.  Users can log in using the IPSec client or the AnyConnect client and are authenticated against the ACS server properly.  I do not use downloadable ACLs, Network Access Filtering, or Network Access Restrictions.

When I connect with the AnyConnect client, everything works as desired.  The VPN tunnels the DNS domains I specify, allows access to only the networks I specify, and sends everything else out of the local connection. 

However, when I use the IPSec client, ONLY the networks/domains in the DNS domains and tunnel list are accessible.  If I do an nslookup (which hits our internal DNS server), I can only get answers for domains in the domain list.  As far as I can tell, I have the settings for each connection profile (AnyConnect and IPSec) identical.  I even create a new Group Policy and then set it to just inherit the defaults and I get the same results. 

Am I able to add wildcard domains in the DNS suffix list?  I'm so confused as to why the same group policy works differently for the two profiles.  Any help is appreciated.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Atul Singh
Level 1
Level 1

‎08-03-2011 04:32 PM

Hi,

Is it a Windows machine or MAC? And is a dns server configured on physical adapter also? Is split dns being used here?

DNS settings are per-interface in Windows. So if split-tunneling is used, DNS should fall back to physical adapter's DNS servers. Also try checking the "Allow Local LAN Access" in IPSec VPN Client in Transport tab.

-Atul

0 Helpful

elpollodiablo
Level 1
Level 1
In response to Atul Singh

‎08-03-2011 04:36 PM

It doesn't matter what platform the client uses.  (At least it is universal, so I know it's not a problem with any one particular platform.)

I'll try the allow local lan access option and see what happens. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents