Remote access w/o split tunneling using external DNS

w951duu · ‎05-07-2013

I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.

Any help would be greatly appreciated.

Thanks!

Jouni Forss · ‎05-07-2013

Hi,

Allowing the using of external DNS sever with among other external recourses like external websites (on the Internet) would really go hand it hand.

And for Internal recourses I imagine you wouldnt even need the external DNS server.

So I would imagine that you lack a NAT Translation for the VPN Pool towards the Internet

An example configuration to NAT the VPN Pool to the "outside" interface IP address of the ASA while accessing Internet through the Full Tunnel VPN Client would be

object-group network VPN-POOL

network-object 10.10.10.0 255.255.255.0

nat (outside,outside) after-auto source dynamic VPN-POOL interface

Also you will have to have

same-security-traffic permit intra-interface

This will allow the traffic to take a "U-turn" on the ASA "outside" interface and head back to the Internet.

The NAT configurations format depends on your current NAT configuration. It should work with the above but there is always a possibility that some current NAT configuration might cause problems for it or override it.

Let me know if I understood your situation correctly.

If this solved your problem, remember to mark the question is answered.

Naturally ask more if needed

Hope this helps

- Jouni