Showing results for 
Search instead for 
Did you mean: 

ASA- SPLIT Tunnel / SPLIT DNS Question

Level 1
Level 1


We are deploying ASA 55x5 hardware across the world to provide our mobile "Apple users" with a VPN solution to connect securely to specific resources using the default VPN capabilties of the Apple devices. We don't use anyconnect. So far it has been good.


Our default VPN setup is that all traffic from device needs to be sent via VPN tunnel when a tunnel is established. This has been working well. We use a MDM solution to provision the Apple devices which then automatically configures the device with both VPN + mailbox, certs, etc.

Our users can access corporate mail when connected just to the Internet using Internet DNS servers for resolution, and SSL-VPN between device and the MDM server to get to the mail servers. We have no issues here. Let us call our MDM server: with IP x.x.x.x

We find that the devices cannot connect our corporate email system while the VPN is up. The reason is that a VPN connected device resolves the entry using our 'Internal' DNS servers to an internal IP address y.y.y.y .

Normally this should not be a problem but the issue is that due to other technical implementation/design decisions made on other infrastructure, the VPN connected device is not allowed to reach the server through the internal address y.y.y.y


Allow VPN connected devices to connect using external address only. Establish Split-Tunnel + Split DNS to allow only the specific server to be sent outside of the tunnel.


I think I have setup split-dns + split tunnel according to the docs. The problem is that the VPN connected device still resolves the Internal DNS name.

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "Google DNS Server"

      access-list SPLIT-TUNNEL-EXCLUDE-LIST standard permit host x.x.x.x

      access-list SPLIT-TUNNEL-EXCLUDE-LIST remark "" external IP address


     group-policy MOBI_users internal

      group-policy MOBI_users attributes

        dns-server value    

        split-tunnel-policy   excludespecified

        split-tunnel-network-list value SPLIT-TUNNEL-EXCLUDE-LIST

         default-domain value

        split-dns value

        split-tunnel-all-dns disable

How do I get the device to send DNS resolution traffic + other traffic for only the entry outside the tunnel. I also tried change the DNS server value so that the first DNS server was but it does not seem to work.

Any pointers would be helpful.

Thanks in Advance.

2 Replies 2

Level 1
Level 1

Hello All,


i have this kind of problem to. We want to have split exclude tunnel configuration based on ip addresses and need dns resolution for this ip addresses from public dns servers at local LAN or WIFI connection of the user, because the internal name resolution over the anyconnect dialup resolve to internal private ip addresses.


Is the solution correct with the "disable all dns though tunnel" and split dns valus xxx.domain.tld?


Thank you very much.

Level 1
Level 1
I have the same issue.
Did you find a solution?