Hi Guys, I need some tips for the Cisco Anyconnect and DNS problem in my office.
Cisco ASA 5515-X 9.12(2)9
Cisco AnyConnect 4.2.03013
Windows 10 1903
My organization has over 10 Forward Lookup Zones on the global DNS servers, one of the domain names is working for my office where I am. Many colleagues tell me they couldn't resolve the remote hostnames by connecting the Cisco Anyconnect but they could successfully resolve and connect the remote name and host by connecting LAN in my office.
However, the problem is known that it can be solved by adding the A record under our own domain name although the IP address is not really working in my office, and the problem can also be solved by adding the specific domain with Split-DNS command on the ASA, but we have too much domain names so I would not add every domain on the firewall.
As I understand, the DNS resolving should work like what it's working in LAN, it should be automatically searching the corresponding hostname in all the Forward Lookup Zones, therefore I'm wondering if I missed somethings on the firewall, please help me :(...
The following information is the configuration, we have the Split-Tunneling and default domain name configured on the firewall:
access-list VPN_Split standard permit 10.16.0.0 255.255.0.0
access-list VPN_Split standard permit 10.17.0.0 255.255.0.0
access-list VPN_Split standard permit 10.18.0.0 255.255.0.0
access-list VPN_Split standard permit 10.21.0.0 255.255.0.0
group-policy AnyConnect_VPN internal
group-policy AnyConnect_VPN attributes
wins-server value 10.21.0.55 10.21.0.56
dns-server value 10.21.0.55 10.21.0.56
vpn-idle-timeout alert-interval 14
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-network-list value VPN_Split
default-domain value MyOffice.corp
Look at the DNS issue when you doing split tunnel and some guidance to resolve :
Sorry for the late response.
I read the article and followed the below section but I couldn't find the cause. As far as I know, everything works on the LAN, so I was wondering if I missed some configuration on the Firewall. I think I will find a good time troubleshooting with Wireshark...
AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is performed based on the order of network adapters where AnyConnect is always the preferred adapter when VPN is connected. Moreover, a DNS query is first sent via the tunnel and if it does not get resolved, the resolver attempts to resolve it via public interface. The split-include access-list includes the subnet which covers the Tunnel DNS server(s). To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.