08-09-2010 11:24 PM - edited 02-21-2020 04:47 PM
Hi,
Our oganisation is having an issue with remote access ipsec vpns from iphones to a ASA firewall. Currently we are able to intiate a VPN and get IP connectivity through the VPN. However we are unable to resolve dns using the internal dns servers. We need this so we can resolve intranet.companyname.local.
I have seen posts in forums mentioning the following but I have been unable to confiirm -
- Apple reserve .local so anything on this domain won't resolve
- Internal DNS won't work on the iPhone cisco VPN client
- There is a bug in version 4 with the Cisco VPN
While troubleshooting I turned on split tunneling and split DNS and can browse to the internet while this is enabled but not to internal sites.
The DNS servers are pingable from the iPhone it just seems it does not use internal DNS servers even though they are in the group policy.
group-policy iPhone attributes
dns-server value 10.x.x.x 10x.x.x
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain value companyname.local
split-dns value companyname.local
Hardware
- iPhone3 version 4.X
- ASA 5520 running 8.2(1)
We would like to tunnel everything ( no split tunneling ) and resolve DNS from our interneral servers once the VPN is enabled from the iPhone. This way we can browse to our internal servers. Any suggestion/answers or similar issues?
08-13-2010 01:26 PM
Are other Clients able to connect to the same connection-profile(aka tunnel-group) and group-policy?
if not do you have the following defined
dns domain-lookup Inside
I have this working with all the same versions you listed. If you post the entire config - I may be able to spot something.
08-13-2010 06:12 PM
I have similar setup working fine with iphone3 , 4 & ipad. The only difference that i see between your group policy attributes and mine are :- \
I do not have "split dns ---- command " and have the address pool mentioned for the group. also i am not tunneling all of the traffic but just tunnelling my internal network traffic.
as suggested by Paul , please post configuration to see if we are missing something.
Thanks
Manish
08-14-2010 08:47 AM
Dear Dan,
Please make sure that IKE NAT-T is enabled to connect from iPhone/iPad with inbuilt CISCO VPN client.
Remote Access VPN--> IKE Policies--> NAT-T
Regards
Balajirajah P B
05-05-2011 07:05 PM
I have confirmation this is the answer -
- Apple reserve .local so anything on this domain won't resolve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide