cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
961
Views
0
Helpful
6
Replies

Baffled...split-DNS via remote access

allele333
Level 1
Level 1

I don't know why the following config does not work when I'm trying to resolve or ping a host via it's name while remote access in. I'm currently running ASA 5520 8.2(5).

group-policy TEST internal
group-policy TEST attributes
 dns-server value x.x.200.64 x.x.200.41
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcL
 default-domain value Test.local
 split-dns value Test.local
 split-tunnel-all-dns enable

6 Replies 6

Vishnu Sharma
Level 1
Level 1

Hi Allele,

 

Could you please make sure that the ip address's that you defined as dns servers are also included in the split-tunnel acl i.e. VPN_splitTunnelAcL. If not then please include. Also split-tunnel-all-dns command is supported for SSL VPN clients. It is not supported in IPSec VPN clients so if you are using IPsec VPN client, you are not going to get any benefit of this command.

If it still does not work then try to do tunnel-all instead of using split tunnel and check if that fixes the issue or not.

 

Let me know if this helps.

 

Vishnu

Yes, the DNS servers are permitted.

access-list VPN_splitTunnelAcL standard permit x.x.200.0 255.255.255.0

 

Hmm, I had this working in 7.2(2) via the VPN client.

Could you please try with tunnelall. just to understand the behavior of the device.

 

Also check if you are able to ping the dns servers when connected over VPN.

 

 

The tunnelall config works BUT after doing so, I can't get out to the internet..can't resolve anything public.

Looks like I now have to NAT the traffic of the remote users to a public IP other than the one specified for the outside interface. I think this the correct solution. Let me know if it's not.

I think this will be a good option. Send all your traffic to the ASA and access internet using the public ip address of the ASA.

 

You can refer to this document for the same: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/67986-pix7x-asa-client-stick.html

 

Vishnu