cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19117
Views
0
Helpful
5
Replies

ASA 5505 split dns setup

mbrunton77
Level 1
Level 1

Here is my setup.

I have an ASA 5505 configured using easy VPN connecting to our corporate ASA.  The ASA5505 is configured for network extension mode with a routable subnet.  The clients that hang off the ASA 5505 are DHCP and get their IP address and DNS settings from the ASA 5505.  I have a split tunnel setup, so only certain networks go over the tunnel back to corporate.  Local Internet browsing goes out the ASA 5505 to the ISP.

My questions is how to setup split-dns.  i would like to have my clients query the ISP's DNS servers for Internet based websites and when they need to access the exchange server the query goes to our corporate DNS servers.  I see a setting for DNS names under the group policy on the corporate ASA, but how does the client know which DNS server to use?

The clients receive a primary DNS server (ISP) and a secondary (Corporate DNS) from the ASA5505.

Please help.

5 Replies 5

Yudong Wu
Level 7
Level 7

In group policy, you need use the following command to define the domain name which need to use split dns

split-dns {value domain-name1 domain-name2 domain-nameN | none}

If the client need to resolve a DNS name in the domain list specified in the above command, DNS query will be sent via tunnel to the corporate DNS server.

I added the split DNS to the policy.  But it is not working. If type ping example.corporate.net, it does not resolove.  The client is querying the public ISP DNS and not the internal corporate DNS where example.corporate.net resides.

Should I be makeing any changes to the DHCP settings on the ASA5505?  This is where the client gets the primary and secondary DNS settings.

Would you please check the following?

1. after VPN tunnel is up, please ping your corporate DNS server from VPN client to make sure it is reachable

2. use "show vpn-sessiondb" command to check if the client is using the correct group-policy where split-dns is enabled.

3. You can use wireshark on client to capture the packet on vpn adapter to see if client sends the DNS query to corporate dns server.

4. You might need clean dns catch on your vpn client pc.

Otherwise, it could be a bug.

The VPN client is an ASA5505 connecting using Easy VPN server setup.

I ran wireshark on the PC and all the DNS querys are going to ISP server because it's the primary DNS server.  The only time it would query the corporate DNS server (secondary) if the ISP server was down or unreachable.

That's what I don;t understand about configuring the SPLIT DNS.  Where do I define, say example.corparate.net go to this DNS server?  From a PC perspective the DNS query will always use the primary server first.

Sorry, I mis-understood your question.

Split-dns should only works via vpn client on PC not hareware client like ASA5505 cause it is PC to initiate DNS query. A PC behind hareware VPN client don't know anything about this split-dns setup.

Can you change your DHCP setup on your 5505 to assign DNS server IP to the client in the following order

In this way, PC behind ASA5505 should try corporate DNS server first and then your ISP DNS server.

Make sure your PC can reach your corporate DNS server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: