cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3468
Views
0
Helpful
6
Replies

ASA 5110 VPN users - DNS not working but all pings ok

shampoocat
Level 1
Level 1

So we've setup an ASA 5510 and users can VPN in no problem, and an IPCONFIG /ALL confirms that the DNS server settings from the group policy have been applied.

Group policy sets DNS servers as 192.168.2.8 (internal), 8.8.8.8 (google).

Public internet sites work ok.

Typing nslookup opens up on the correct internet DNS server,

but all requests timeout.

C:\Users\atr>nslookup

Default Server:  dell_server5.ourcompany.local

Address:  192.168.2.8

> w7farmm3

Server:  dell_server5.ourcompany.local

Address:  192.168.2.8

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to dell_server5.ourcompany.local timed-out

> w7farmm3.ourcompany

Server:  dell_server5.ourcompany.local

Address:  192.168.2.8

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to dell_server5.ourcompany.local timed-out

> w7farmm3.ourcompany.local

Server:  dell_server5.ourcompany.local

Address:  192.168.2.8

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to dell_server5.ourcompany.local timed-out

> google.com

Server:  dell_server5.ourcompany.local

Address:  192.168.2.8

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to dell_server5.ourcompany.local timed-out

Any ideas?

1 Accepted Solution

Accepted Solutions

If it works with tunnelall and not with split tunneling then you need to enable split dns.

Your group policy should something like this:

group-policy vpnpolicyx internal

group-policy vpnpolicyx attributes

  split-dns value yourcompany.local

I hope this helps.

View solution in original post

6 Replies 6

gregsher88
Level 1
Level 1

I am experiencing the same issue. My nslookup output is the same as above.

Greg I'm reading this post at the moment - not sure if it's useful to either of us

http://www.astaro.org/astaro-gateway-products/vpn-site-site-remote-access/25507-cisco-vpn-client-2.html

Update:

I edited the Group Policy, under Advanced -> Split Tunneling

Changed the policy to "Tunnel All Networks"

and suddenly everything works!

Though I'm sure I don't want to leave it at Tunnel All Networks, so still looking into it.

If it works with tunnelall and not with split tunneling then you need to enable split dns.

Your group policy should something like this:

group-policy vpnpolicyx internal

group-policy vpnpolicyx attributes

  split-dns value yourcompany.local

I hope this helps.

thanks! that's it.

the existing setting was

DNS Names: (inherit: no) 192.168.2.7 151.203.0.85 151.202.0.85

So if this field should actually be a domain name, what was the person thinking who set this up? Any idea why they would put IP addresses in here? (192.168.2.7 is our local DNS server)

I think they just go confused, however if you do question mark you would see it mentions "list of domains"

asa(config-group-policy)# split-dns value ?

group-policy mode commands/options:

  LINE < 256 char  Enter a list of domains to be resolved through the Split Tunnel, separated with spaces.

However it takes an IP(because an IP is word too) hence the confusion

asa(config-group-policy)# split-dns value 1.1.1.1

I hope this clarifies your questions.

Have fun!

PS: Dont forget to rate this post and mark the question as answered