Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2725
Views
30
Helpful
31
Replies

vpn issue

kp-tkr2014
Level 1
Level 1

‎03-02-2020 08:22 PM

Hi,

 using cisco asa 9.x code  and the below configuration . 

we are using two dns server for internal url resolving and external dns resolving 

internal test.local and external test.com 

The problem remote users using anyconnect cannot resolve the dns 

 

 

group-policy Test internal
group-policy Test attributes
wins-server none
dns-server value 192.168.100.1
vpn-tunnel-protocol ikev1 ssl-client

split-tunnel-policy tunnelspecified
split-tunnel-network-list value testsplitacl
default-domain value test.local
address-pools value test

Thanks

 

Labels:
0 Helpful
31 Replies 31

Cristian Matei
VIP Alumni
VIP Alumni

‎03-03-2020 10:10 AM

Hi,

 

    Use "show vpn-sessiondb" and check if the proper settings are applied to a connected client; is your split ACL allowing access to the DNS server? Is your DNS server reachable from the clients, like via ping? If you have NAT configured, ensue traffic from the DNS server towards the clients is exempted from NAT.

 

Regards,

Cristian Matei. 

kp-tkr2014
Level 1
Level 1
In response to Cristian Matei

‎03-07-2020 02:41 AM

Hi ,

My split acl allowing dns , but still the same issue .

what is the difference between 'default-domain  and split-dns '

default-domain value  
split-dns value 

 

How the client understand  which dns (public or the vpn tunnel dns ) need to be used 

 

Thanks

0 Helpful

Sheraz.Salim
VIP
VIP
In response to kp-tkr2014

‎03-07-2020 03:01 AM

To prevent users from inheriting a domain name, use the default-domain none command.

The ASA passes the default domain name to the AnyConnect Secure Mobility Client or the legacy VPN client (IPsec/IKEv1) to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.

 

default-domain Specifies a default domain name that the IPsec client uses the for DNS queries which omit the domain field. 

 

split-dns Provides a list of domains to be resolved through the split tunnel.

please do not forget to rate.

kp-tkr2014
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 04:19 AM

Hi,

Thanks for the reply 

I am struggling to  resolve local dns through vpn tunnel 

our dns setup is like below 

 test.local is our local domain . 

in test.local there is a forward zone test.com 

 

from LAN  we resolve a.test.com , it  resolve to local ip address 192.168.1.x 

 

test.com also published from ISP's DNS server . so from internet a.test.com resolve to a public ip . 

 

My requirement is , once vpn connected  , a.test.com should resolve to 192.168.1.x

 

Thanks 

 

 

 

 

 

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to kp-tkr2014

‎03-07-2020 05:21 AM

forward the nat rules. And the tunnel-group and policy-group configuration.

 

please do not forget to rate.
0 Helpful

kp-tkr2014
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 08:24 AM - edited ‎03-07-2020 08:44 AM

Hi,

here is the configuration . 


tunnel-group tg-test type remote-access
tunnel-group tg-test general-attributes
address-pool pool-test
authentication-server-group RAD-SERVER
default-group-policy gp-test
password-management

 

group-policy gp-test internal
group-policy gp-test attributes
wins-server none
dns-server value 192.168.100.1
vpn-tunnel-protocol ikev1 ssl-client

split-tunnel-policy tunnelspecified
split-tunnel-network-list value testsplitacl
default-domain value test.local
address-pools value pool-test

and here is the NAT rule .

 

nat (Inside,Outside) source static 192.168.100.1 192.168.100.1 static VPN_IPS VPN_IPS no-proxy-arp route-lookup

 

How the address pools under the tunnel group and group policy works . I mean  any difference  between both 

Thanks

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-07-2020 05:17 AM

Hi,

 

   To come up with a proper solutions, few questions needs to be answered:

          - i understand you have split-tunneling configured, so only traffic to certain networks flows through the tunnel. Is this correct? If you want to resolve any FQDN through the tunnel, is the DNS server allowed in the split-tunnel ACL?

          - users will need to resolve via DNS three types of FQDN's: your internal private network, your public network (any resources which are publicly available, like have an public IP address), the rest of the public network (the Internet). Each of these three should be resolved by one of the following DNS servers: the one you push via AnyConnect, reachable through the VPN tunnel, and the one users have configured on their "physical" NIC. Which DNS server should resolve which FQDN?

          - your internal DNS servers resolves your internal resources (private) and your external DNS server resolves the Internet? Do you have the external DNS server configured as a forwarder on the internal DNS server?

 

Regards,

Cristian Matei.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Cristian Matei

‎03-07-2020 06:04 AM - edited ‎03-07-2020 06:29 AM

@Cristian Matei made a good point is your split-tunnel ACL include the DNS 192.168.x.x. if not you have to add this.

I noted you  have access-list testsplitacl. so you have to add this command.

!
make your change like this

!


group-policy Test internal
group-policy Test attributes
wins-server value 192.168.100.1
dns-server value 192.168.100.1
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testsplitacl
default-domain value test.local
address-pools value test
!
access-list testsplitacl standard permit host 192.168.100.1

 

please do not forget to rate.

kp-tkr2014
Level 1
Level 1
In response to Cristian Matei

‎03-07-2020 07:43 AM

Hi ,

Kindly see the reply 

Q. understand you have split-tunneling configured, so only traffic to certain networks flows through the tunnel. Is this correct? If you want to resolve any FQDN through the tunnel, is the DNS server allowed in the split-tunnel ACL?

A: yes dns is allowed in acl

 

Q. users will need to resolve via DNS three types of FQDN's: your internal private network, your public network (any resources which are publicly available, like have an public IP address), the rest of the public network (the Internet). Each of these three should be resolved by one of the following DNS servers: the one you push via AnyConnect, reachable through the VPN tunnel, and the one users have configured on their "physical" NIC. Which DNS server should resolve which FQDN?

A: The dns server configured on physical should resolve all public domain except our public domain test.com .

 

Q .your internal DNS servers resolves your internal resources (private) and your external DNS server resolves the Internet?

A :When we are connected from the LAN , internal DNS server will resolve to private ip)
(example a.test.com will resolve to 192.168.1.10 ,from internet the same a.test.com will resolve to public ip address )

 

Q.Do you have the external DNS server configured as a forwarder on the internal DNS server?

A: Yes

Thanks

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-07-2020 09:30 AM

Hi,

 

    Use the following config:

 

group-policy gp-test internal
group-policy gp-test attributes
dns-server value 192.168.100.1

split-tunnel-policy tunnelspecified
split-tunnel-network-list value testsplitacl
default-domain value test.local

split-dns value test.local test.com

 

This way, all queries for test.local and test.com will be sent through the VPN tunnel towards 192.168.100.1, while all other queries will be sent to the locally configured DNS server on the physical interface.Make sure to run a stable/recommended AnyConnect version, which adjusts to the "split-dns" policy.

 

Regards,

Cristian Matei.

0 Helpful

kp-tkr2014
Level 1
Level 1
In response to Cristian Matei

‎03-07-2020 09:56 AM

Hi,

I tried split -dns, but look like does not work . it may be anyconnect client issue ? 

Or is there any alternative way to solve this issue 

Thanks

0 Helpful

Sheraz.Salim
VIP
VIP
In response to kp-tkr2014

‎03-07-2020 10:02 AM - edited ‎03-07-2020 10:10 AM

what version anyconnet you on?

 

split-dns this command is available in version 9.9 i just test on my ASA. what version you on? I just quickly check this command is available since version 7. however Starting with version 3.0.4235, AnyConnect Secure Mobility Client supports true split DNS functionality for Windows platforms

please do not forget to rate.

kp-tkr2014
Level 1
Level 1
In response to Sheraz.Salim

‎03-07-2020 06:50 PM

Hi,
Is there any difference in true split dns and split dns
Thanks
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to kp-tkr2014

‎03-07-2020 11:16 AM

Hi,

 

    Try couple of stable AnyConnect versions and see which one works, run 4.x. Check this document for any further guidelines.

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html#anc7

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents