Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
2
Helpful
6
Replies

Split Tunneling & Split DNS - ASA

oliclarke7
Level 1
Level 1

‎03-08-2023 06:15 AM

Hi,

I'd like to know if something is possible...

Currently, all traffic goes via the AnyConnect VPN no matter what the destination is. I need to enable split tunneling for a single domain name which will need to go via the local breakout rather than the VPN, as the DNS server used for the current VPN traffic cannot resolve this public domain name (corporate DNS, only resolves internal DNS names).

I'm no VPN expert so correct me if I'm wrong, but the issue I see at the moment is that any traffic hitting the ASA - even if split tunneling is enabled - would use the VPN corporate DNS server. This would defeat the object as the DNS server would not return an IP for this single FQDN, and the traffic would not breakout locally.

What would be the best way of doing this, or is it even possible? I've read a little on split-DNS, but not entirely sure if this would meet the requirements? Any assistance (or corrections to my logic) is much appreciated.

Labels:
6 Replies 6

MHM Cisco World
VIP
VIP

‎03-08-2023 06:20 AM - edited ‎03-08-2023 06:22 AM

split tunnel either by IP or by DNS 
here you run split tunnel by IP 

and there is one domain your client need to resolve by local DNS ??
if yes all above try below command 

split-tunnel-all-dns disable

 

 

0 Helpful

oliclarke7
Level 1
Level 1

‎03-08-2023 06:34 AM - edited ‎03-08-2023 06:35 AM

Thanks for that info.

Excuse my ignorance, but what do you mean split tunnel by IP rather than DNS? You're correct in saying that there's one domain name that needs to go out locally.

The environment I'm working on is a live one, so just mainly want to ensure that I full understand what the command does so I'll know if it will affect current functionality for users for any DNS resolutions & general traffic.

0 Helpful

MHM Cisco World
VIP
VIP
In response to oliclarke7

‎03-08-2023 06:48 AM - edited ‎03-08-2023 06:49 AM

normal with split-tunnel that the ASA DNS server resolve domain if failed then the client will use DNS server list in interface, 
this brock if you config 
split-tunnel-all-dns
this meaning that the client always send DNS request to ASA DNS server 
so what we need disable this feature. 

oliclarke7
Level 1
Level 1

‎03-08-2023 06:58 AM

So lets say I wanted bbc.co.uk to go out locally but all other traffic via the VPN, I'd need to do the following to enable dynamic split tunnelling with local DNS resolution for excluded addresses:

webvpn
  anyconnect-custom-attr dynamic-split-exclude-domains description Exclude BBC

anyconnect-custom-data dynamic-split-exclude-domains exclude-bbc www.bbc.co.uk

group-policy GroupPolicy_AnyConnect-01 attributes
 anyconnect-custom dynamic-split-exclude-domains value exclude-bbc
 split-tunnel-all-dns disable

Let me know if anything else required

0 Helpful

MHM Cisco World
VIP
VIP
In response to oliclarke7

‎03-08-2023 07:04 AM - edited ‎03-08-2023 07:04 AM

you NOW use split-tunnel with ACL ??

0 Helpful

MHM Cisco World
VIP
VIP

‎03-08-2023 08:57 AM

Configure ASA/AnyConnect: Dynamic Split Tunneling - Cisco <<- depend on DNS 
Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA - Cisco <<- depend on ACL (static)

So I suggest use Split with ACL and use split-tunnel-all-dns 

0 Helpful
Customers Also Viewed These Support Documents