cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
228
Views
0
Helpful
10
Replies
Highlighted
Beginner

ASA 5505 IPSEC VPN Error

Hi,


Some of our users are receiving error when connect on IPSec VPN 

"The system has detected a possible attempt to compromise security VPN issue unable to map drives automatically"

and sometimes they struggle on DNS resolution. I have added ip addresses manually in host file but is there a better way.

I googled it but I got different views from everywhere. I would not like to try it on a production firewall unless someone know the fix.

Thanks,

10 REPLIES 10
Highlighted
Rising star

Hello Mohammed,

Hello Mohammed,

You have group-policy for the vpn-tunnel group and I assume you enabled split-tunnel, then you can force the vpn-users to send dns-lookup for internal domain-names into internal servers, rather than sending the dns-lookup to local ISP.

 

group-policy your-vpn-group-policy attributes
dns-server value 10.121.81.64 10.121.81.65
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-Split-Tunnel-List
default-domain value whatever.com
split-dns value whilte.com black.com yellow.com brown.com pink.com

as you can see in my split-dns value contains many internal domain names, for which nslookup will come into internal dns-server at: 10.121.81.64 10.121.81.65 for particular group-policy vpn-users.

Hope that helps.

Thanks

Rizwan Rafeek.

Highlighted
Beginner

Hi Rizwan,

Hi Rizwan,

I have got group policy as suggested earlier. does it look ok? or am I missing something?

group-policy company internal
group-policy company attributes
dns-server value 192.168.0.2 192.168.0.1
vpn-idle-timeout 43200
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value company.com
address-pools value vpnippool

Highlighted
Rising star

Hello Mohammed,

Hello Mohammed,

You don't need these two values.

- - - - - - - - - - - - - 

vpn-idle-timeout 43200
pfs enable

- - - - - - - - - - - - - 

You still have to make your vpn-client to send nslookup for your internal domain-names into the tunnel, otherwise for your internal hostname lookups will be going to local ISP for remote access IPSec vpn-clients.

Example is shown below, you need to specify your internal domain names as such shown below. 

split-dns value whilte.com black.com yellow.com brown.com pink.com

thanks

Rizwan Rafeek

Highlighted
Beginner

If I run these commands would

If I run these commands would it fix the issue?

No VPN idle time out

no PSf enable

Split-dns value white.com

Highlighted
Rising star

Hello Mohammed,

Hello Mohammed,

"If I run these commands would it fix the issue?"

NO, but you don't not need those lines.

But what you need is to enable  split-dns, as shown below.

group-policy your-vpn-group-policy attributes

 split-dns value whilte.com black.com yellow.com brown.com pink.com

Highlighted
Beginner

Thanks. I would add split-dns

Thanks. I would add split-dns on Monday and get back to you.

Highlighted
Rising star

Hello Mohammed,

Hello Mohammed,

"Could I just append this line in group policy?"

Yes you can but replace with list of domain-names that you want your remote-vpn client's dns-names lookup to come into the tunnel.

You have split-tunnel enabled?

 

Highlighted
Beginner

Hi rizwanr74,

Hi rizwanr74,

I have tried split-tunnel value and it has not resolve it.

Thanks,

Highlighted
Rising star

Post your configuration.

Post your configuration.

Highlighted
Beginner

Hi Rizwan,

Hi Rizwan,

Could I just append this line in group policy?

split-dns value whilte.com black.com yellow.com brown.com pink.com

or does it have to be in particular order?