04-12-2011 09:03 PM
We just setup a new config on the ASA. We cannot get on the internet with the group "services" for full tunnel when using Cisco VPN client. We can get to Google by IP address. But, we cannot get to Google by typing Google.com. Do you have any suggestions? Attached is the config.
Thanks.
Laura
Solved! Go to Solution.
04-12-2011 09:28 PM
The followings are the DNS servers configured for group services:
208.29.1.8
208.29.1.1
Do these 2 internal DNS servers resolve external DNS as well?
The reason why the split tunnel group works is because they will use the ISP provided DNS to reach the external websites. However, with the no split tunnel group (tunnelall group), it is relying on the internal DNS to also resolve external URLs.
04-12-2011 09:28 PM
The followings are the DNS servers configured for group services:
208.29.1.8
208.29.1.1
Do these 2 internal DNS servers resolve external DNS as well?
The reason why the split tunnel group works is because they will use the ISP provided DNS to reach the external websites. However, with the no split tunnel group (tunnelall group), it is relying on the internal DNS to also resolve external URLs.
04-12-2011 09:39 PM
Jennifer,
Yes, these DNS servers resolve external DNS. Can you think of anything else?
Thanks.
Laura
04-12-2011 09:41 PM
When you perform "nslookup" for google.com, can you please confirm that it uses either of the 2 DNS servers defined?
04-12-2011 09:55 PM
Here is the result of NSLOOKUP. Thanks.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\win7>nslookup
Default Server: xxx.consoto.com
Address: 208.29.1.8
>
04-12-2011 09:57 PM
Can you please type in www.google.com at the prompt, and share the output. Thanks.
04-12-2011 10:07 PM
Here is the result of NSLOOKUP. Thanks.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\win7>nslookup
Default Server: xxx.consoto.com
Address: 208.29.1.8
> google.com
Server: xxx.consoto.com
Address: 208.29.1.8
*** xxx.consoto.com can't find google.com: Query refused
> 74.125.224.221
Server: xxx.consoto.com
Address: 208.29.1.8
*** xxx.consoto.com can't find 74.125.224.221: Query refused
04-12-2011 10:10 PM
Sounds like a DNS server issue instead of ASA.
You might want to check if the DNS server is allowing your vpn pool subnet to perform DNS lookup for external hosts.
04-12-2011 10:12 PM
Here article from Microsoft support that confirms the same:
http://support.microsoft.com/kb/200525
(PS: search on "Query refused")
04-12-2011 10:17 PM
Thanks for link, Jennifer. I will check out the link.
Laura
04-12-2011 10:13 PM
Thanks Jennifer. I will check with my DNS administrator. I will get back to you tomorrow if I have any more questions and rate the posts.
Thanks again.
Laura
04-13-2011 08:50 AM
Jennifer,
For whatever reason, the full tunnel is now working. I am now able to get to the internet. I am so embarrased!!! For the last 3 days, I was not able to get on the internet. Thanks so much for your time. I appreciate you are taking time to help me out.
Thanks.
Laura
04-13-2011 03:32 PM
Great to hear it's working, Laura. Thanks for the update and rating.