cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1003
Views
0
Helpful
3
Replies

Split DNS not working

Ratatapaa
Level 1
Level 1

I'm sorry to make a 2nd thread, but wasn't able to delete the first one

I changed some config to make it easier to understand

1) I have a MBP connected to a router (with allow all), that router is connected to my Cisco ASA 5505 in the wan interface and the lan interface of the ASA5505 is connected to a switch which has a PC (192.168.0.16) and a DNS server (192.168.0.14)

My MBP can connect to the VPN NP and can access the DNS Server (ping and SSH) and the windows machine (PING and RDP)

What I want is to be able t oaccess them with the FQDN exemple ping dns.domain.local and rdp pc.domain.local  (Inside the lan the DNS works flawlessly but not on the VPN

HEre is my config

[QUOTE]ASA Version 8.2(1)

!

terminal width 250

hostname domain

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list inside-out extended permit tcp host 192.168.0.2 any eq smtp

access-list inside-out extended deny tcp any any eq smtp

access-list inside-out extended permit ip any any

access-list inside-out extended permit icmp any any

access-list vpn-client-policy-nat extended permit ip 192.168.0.0 255.255.255.0 10.250.132.0 255.255.255.0

access-list VPN-SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list 100 extended deny tcp 10.250.132.0 255.255.255.0 eq smtp 192.168.0.0 255.255.255.0 eq smtp

access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outbound extended permit tcp host 192.168.0.2 any eq smtp

access-list outbound extended permit tcp host 192.168.0.10 any eq smtp

access-list outbound extended deny tcp any any eq smtp

access-list outbound extended permit ip any any

pager lines 34

logging enable

logging timestamp

logging buffered debugging

logging trap debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool mobilepool 10.250.132.100-10.250.132.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outbound in interface inside

access-group outside-acl in interface outside

route outside 0.0.0.0 0.0.0.0 24.37.96.137 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set mobileset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set mobileset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mobilemap 1 ipsec-isakmp dynamic dyn1

crypto map mobilemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 10.0.128.0 255.255.255.0 inside

ssh 10.250.132.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.0.0 255.255.255.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy mobilegroup internal

group-policy mobilegroup attributes

vpn-simultaneous-logins 50

vpn-idle-timeout 2000

vpn-session-timeout 2000

split-tunnel-network-list value VPN-SPLIT-TUNNEL

dns-server value 192.168.0.4

default-domain value domain.local

split-dns value domain.local

group-policy mobile_policy internal

group-policy mobile_policy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT-TUNNEL

tunnel-group mobilegroup type remote-access

tunnel-group mobilegroup general-attributes

address-pool mobilepool

default-group-policy mobile_policy

tunnel-group mobilegroup ipsec-attributes

pre-shared-key password

!

class-map global-class

match default-inspection-traffic

class-map inspection

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8483359024d4bec86c077bb9dbbcd324

: end

[/QUOTE]

For this config i removed some confidential info, but all the info for the VPN is still there

1 of my problem is the fact that when i'm connected to the VPN I cannot get a DNS server and search domain automaticly

[img]http://images.bluegartr.com/bucket/gallery/058a8ff58e55f644d3dad759fdd4a2d6.png[/img]

If I manually add my DNS server and my search domain there, i still cannot ping the FQDN

Can anyone tell me what i'm doing wrong?

(Hope this is better formatted :P)

3 Replies 3

czaja0000
Level 1
Level 1

Hi,

I have comments to the ASA configuration.

Gyslain Hamel napisano:

group-policy mobilegroup internal

group-policy mobilegroup attributes

vpn-simultaneous-logins 50

vpn-idle-timeout 2000

vpn-session-timeout 2000

split-tunnel-network-list value VPN-SPLIT-TUNNEL

dns-server value 192.168.0.4

default-domain value domain.local

split-dns value domain.local

.

.

tunnel-group mobilegroup type remote-access

tunnel-group mobilegroup general-attributes

address-pool mobilepool

default-group-policy mobile_policy

tunnel-group mobilegroup ipsec-attributes

pre-shared-key password

I suggest some modifications.

If you define split-tunnel in group policy you need command: "split-tunnel-policy tunnelspecified".

I detected wrong IP of DNS server (critical mistake). In the description of the problem was specified address 192.168.0.14 ?

I corrected in the tunnel-group, default policy from "mobile_policy" to "mobilegroup". Because

mobile_policy doesn't specify DNS server and domain name.

group-policy mobilegroup internal

group-policy mobilegroup attributes

vpn-simultaneous-logins 50

vpn-idle-timeout 2000

vpn-session-timeout 2000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT-TUNNEL

dns-server value 192.168.0.14

default-domain value domain.local

split-dns none

tunnel-group mobilegroup type remote-access

tunnel-group mobilegroup general-attributes

address-pool mobilepool

default-group-policy mobilegroup

Try it and response.

________________

Best regards,
MB

________________ Best regards, MB

Thank you for answering, I will be testing this but only monday since i'm off work till then, but i promise i'll come back to you

Thanks for your help, it works in the lab but not in the working environnement due to other effects

Also lost my internet access but it's possible due to the fact we put split-dns none or the fact that I can't ping the DNS in the work environnemnt