cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2019
Views
0
Helpful
12
Replies

DNS Problem

laurabolda
Level 1
Level 1

We just setup a new config on the ASA.  We cannot get on the internet with the group "services" for full tunnel when using Cisco VPN client. We can get to Google by IP address.  But, we cannot get to Google by typing Google.com.  Do you have any suggestions?  Attached is the config.

Thanks.

Laura

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

The followings are the DNS servers configured for group services:

208.29.1.8

208.29.1.1

Do these 2 internal DNS servers resolve external DNS as well?

The reason why the split tunnel group works is because they will use the ISP provided DNS to reach the external websites. However, with the no split tunnel group (tunnelall group), it is relying on the internal DNS to also resolve external URLs.

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

The followings are the DNS servers configured for group services:

208.29.1.8

208.29.1.1

Do these 2 internal DNS servers resolve external DNS as well?

The reason why the split tunnel group works is because they will use the ISP provided DNS to reach the external websites. However, with the no split tunnel group (tunnelall group), it is relying on the internal DNS to also resolve external URLs.

Jennifer,

Yes, these DNS servers resolve external DNS.  Can you think of anything else?

Thanks.

Laura

When you  perform "nslookup" for google.com, can you please confirm that it uses either of the 2 DNS servers defined?

Here is the result of NSLOOKUP.  Thanks.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\win7>nslookup

Default Server: xxx.consoto.com

Address: 208.29.1.8

>

Can you please type in www.google.com at the prompt, and share the output. Thanks.

Here is the result of NSLOOKUP.  Thanks.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


C:\Users\win7>nslookup
Default Server:  xxx.consoto.com
Address:  208.29.1.8

> google.com
Server:  xxx.consoto.com
Address:  208.29.1.8

*** xxx.consoto.com can't find google.com: Query refused
> 74.125.224.221
Server:  xxx.consoto.com
Address:  208.29.1.8

*** xxx.consoto.com can't find 74.125.224.221: Query refused

Sounds like a DNS server issue instead of ASA.

You might want to check if the DNS server is allowing your vpn pool subnet to perform DNS lookup for external hosts.

Here article from Microsoft support that confirms the same:

http://support.microsoft.com/kb/200525

(PS: search on "Query refused")

Thanks for link, Jennifer.  I will check out the link.

Laura

Thanks Jennifer.  I will check with my DNS administrator.  I will get back to you tomorrow if I have any more questions and rate the posts.

Thanks again.

Laura

Jennifer,

For whatever reason, the full tunnel is now working.  I am now able to get to the internet.  I am so embarrased!!!  For the last 3 days, I was not able to get on the internet.  Thanks so much for your time.  I appreciate you are taking time to help me out.

 

Thanks.

Laura

Great to hear it's working, Laura. Thanks for the update and rating.