Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5755
Views
5
Helpful
2
Replies

ASA- SPLIT Tunnel / SPLIT DNS Question

CUKZAMKH1
Level 1
Level 1

‎02-18-2014 03:44 AM

Hi,

We are deploying ASA 55x5 hardware across the world to provide our mobile "Apple users" with a VPN solution to connect securely to specific resources using the default VPN capabilties of the Apple devices. We don't use anyconnect. So far it has been good.

ISSUE:

Our default VPN setup is that all traffic from device needs to be sent via VPN tunnel when a tunnel is established. This has been working well. We use a MDM solution to provision the Apple devices which then automatically configures the device with both VPN + mailbox, certs, etc.

Our users can access corporate mail when connected just to the Internet using Internet DNS servers for resolution, and SSL-VPN between device and the MDM server to get to the mail servers. We have no issues here. Let us call our MDM server:  mdm.xxx.net with IP x.x.x.x

We find that the devices cannot connect our corporate email system while the VPN is up. The reason is that a VPN connected device resolves the mdm.xxx.net entry using our 'Internal' DNS servers to an internal IP address y.y.y.y .

Normally this should not be a problem but the issue is that due to other technical implementation/design decisions made on other infrastructure, the VPN connected device is not allowed to reach the server through the internal address y.y.y.y

PROPOSED SOLUTION:

Allow VPN connected devices to connect mdm.xxx.net using external address only. Establish Split-Tunnel + Split DNS to allow only the specific server to be sent outside of the tunnel.

PROBLEM:

I think I have setup split-dns + split tunnel according to the docs. The problem is that the VPN connected device still resolves the Internal DNS name.

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host 8.8.8.8

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "Google DNS Server"

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host x.x.x.x

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "mdm.xxx.net" external IP address

     

     group-policy MOBI_users internal

      group-policy MOBI_users attributes

        dns-server value 172.24.1.1 172.24.1.2    

        split-tunnel-policy   excludespecified

        split-tunnel-network-list value SPLIT-TUNNEL-EXCLUDE-LIST

         default-domain value int.xxx.net

        split-dns value mdm.xxx.net

        split-tunnel-all-dns disable

How do I get the device to send DNS resolution traffic + other traffic for only the mdm.xxx.net entry outside the tunnel. I also tried change the DNS server value so that the first DNS server was 8.8.8.8 but it does not seem to work.

Any pointers would be helpful.

Thanks in Advance.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Steven1978
Level 1
Level 1

‎04-12-2019 03:30 AM

Hello All,

 

i have this kind of problem to. We want to have split exclude tunnel configuration based on ip addresses and need dns resolution for this ip addresses from public dns servers at local LAN or WIFI connection of the user, because the internal name resolution over the anyconnect dialup resolve to internal private ip addresses.

 

Is the solution correct with the "disable all dns though tunnel" and split dns valus xxx.domain.tld?

 

Thank you very much.

bergamok
Level 1
Level 1

‎03-13-2020 05:38 AM

I have the same issue.
Did you find a solution?

Thanks
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents