Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8016
Views
0
Helpful
7
Replies

How to forbid remote access vpn client to use local DNS server

Go to solution
haluochen9988
Level 1
Level 1

‎10-05-2012 08:00 AM - edited ‎02-21-2020 06:23 PM

Hello,

I am configuring remote access vpn on ASA5505.

Everything is working fine so far, except when the client got connected, it still used the local DNS server provided by the ISP.  How do I force the client to use the DNS server configured on ASA?

Thank you.

Regards,

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to haluochen9988

‎10-06-2012 01:23 AM

The command "split-tunnel-all-dns enable" is only supported on SSL VPN and IKEv2 VPN. Since you are using IKEv1, that command is not supported.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1533793

Are you configuring no split tunnel? if you are, then you would need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-05-2012 08:04 AM

What is the version of your ASA, and your vpn client, and also pls share the configuration of group-policy and tunnel-group for that particular remote access.

What are you trying to resolve? public dns name or company/local dns name?

0 Helpful

Go to solution
haluochen9988
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 08:13 AM

Hi Jennifer,

I am using ASA 5505 Version 8.2(5).VPN client is 5.0.07.0440.

Below is the result of ipconfig from client.  I will post the configuration of group-policy and tunnel-group later on.

C:\Users\XXXX>ipconfig /all

Windows IP Configuration

PPP adapter Rogers Internet:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : XXXX Internet

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv4 Address. . . . . . . . . . . : A.A.A.A(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.255

   Default Gateway . . . . . . . . . : 0.0.0.0

   DNS Servers . . . . . . . . . . . : 64.71.255.198

                                       64.71.255.253

   Primary WINS Server . . . . . . . : 10.11.12.13

   Secondary WINS Server . . . . . . : 10.11.12.14

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . :

   IPv4 Address. . . . . . . . . . . : 192.168.40.100(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.40.1

   DNS Servers . . . . . . . . . . . : 192.168.5.10

   NetBIOS over Tcpip. . . . . . . . : Enabled

When the client got connected, it got both DNS server from the ISP and ASA, but when ran nslookup, it used the one from ISP (64.71.255.198).

How do I force it to use 192.168.5.10?

Thanks for the reply.

0 Helpful

Go to solution
haluochen9988
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 08:35 AM

Hi Jennifer,

Below is the config of the vpn group. I would like the client to use company/local dns server. Thanks.

dns server-group DefaultDNS

name-server 192.168.5.10

domain-name AAA.com

ip local pool AAA-VPN 192.168.40.100-192.168.40.199 mask 255.255.255.0

dhcpd dns 192.168.5.10 interface inside

dhcpd enable inside

!

group-policy AAA_grppolicy_nosplittunnel internal

group-policy AAA_grppolicy_nosplittunnel attributes

dns-server value 192.168.5.10

vpn-tunnel-protocol IPSec

split-tunnel-all-dns enable

tunnel-group AAA_group type remote-access

tunnel-group AAA_group general-attributes

address-pool AAA-VPN

default-group-policy AAA_grppolicy_nosplittunnel

tunnel-group AAA_group ipsec-attributes

pre-shared-key *****

!

!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to haluochen9988

‎10-06-2012 01:23 AM

The command "split-tunnel-all-dns enable" is only supported on SSL VPN and IKEv2 VPN. Since you are using IKEv1, that command is not supported.

Here is the command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1533793

Are you configuring no split tunnel? if you are, then you would need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel.

0 Helpful

Go to solution
haluochen9988
Level 1
Level 1
In response to Jennifer Halim

‎10-09-2012 08:03 AM

Thank you Jennifer.

Yes I am configuring no split tunnel.  Do you have the sample of configuring "tunnelall split tunnel policy"? Thanks again.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to haluochen9988

‎10-09-2012 07:18 PM

Sure, here you go for your configuration:

group-policy AAA_grppolicy_nosplittunnel attributes

   split-tunnel-policy tunnelall

0 Helpful

Go to solution
haluochen9988
Level 1
Level 1
In response to Jennifer Halim

‎10-14-2012 05:57 PM

Hi Jennifer,

Sorry for the slow reply on this issue.

I did not get a chance to work on this again for a while. When I tried connect to VPN just now and was suprised to see that the client was not using the local DNS server but through the tunnel. Nothing has been changed on the ASA since my last post. So weird. Anyway thank you very much again for your kindly help.

Best regards,

0 Helpful
Customers Also Viewed These Support Documents