We are deploying ASA 55x5 hardware across the world to provide our mobile "Apple users" with a VPN solution to connect securely to specific resources using the default VPN capabilties of the Apple devices. We don't use anyconnect. So far it has been good.
Our default VPN setup is that all traffic from device needs to be sent via VPN tunnel when a tunnel is established. This has been working well. We use a MDM solution to provision the Apple devices which then automatically configures the device with both VPN + mailbox, certs, etc.
Our users can access corporate mail when connected just to the Internet using Internet DNS servers for resolution, and SSL-VPN between device and the MDM server to get to the mail servers. We have no issues here. Let us call our MDM server: mdm.xxx.net with IP x.x.x.x
We find that the devices cannot connect our corporate email system while the VPN is up. The reason is that a VPN connected device resolves the mdm.xxx.net entry using our 'Internal' DNS servers to an internal IP address y.y.y.y .
Normally this should not be a problem but the issue is that due to other technical implementation/design decisions made on other infrastructure, the VPN connected device is not allowed to reach the server through the internal address y.y.y.y
Allow VPN connected devices to connect mdm.xxx.net using external address only. Establish Split-Tunnel + Split DNS to allow only the specific server to be sent outside of the tunnel.
I think I have setup split-dns + split tunnel according to the docs. The problem is that the VPN connected device still resolves the Internal DNS name.
access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host 18.104.22.168
access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "Google DNS Server"
access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host x.x.x.x
access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "mdm.xxx.net" external IP address
group-policy MOBI_users internal
group-policy MOBI_users attributes
dns-server value 172.24.1.1 172.24.1.2
split-tunnel-network-list value SPLIT-TUNNEL-EXCLUDE-LIST
default-domain value int.xxx.net
split-dns value mdm.xxx.net
How do I get the device to send DNS resolution traffic + other traffic for only the mdm.xxx.net entry outside the tunnel. I also tried change the DNS server value so that the first DNS server was 22.214.171.124 but it does not seem to work.
Any pointers would be helpful.
Thanks in Advance.