03-02-2020 08:22 PM
Hi,
using cisco asa 9.x code and the below configuration .
we are using two dns server for internal url resolving and external dns resolving
internal test.local and external test.com
The problem remote users using anyconnect cannot resolve the dns
group-policy Test internal
group-policy Test attributes
wins-server none
dns-server value 192.168.100.1
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testsplitacl
default-domain value test.local
address-pools value test
Thanks
03-07-2020 06:20 PM
Hi,
thank you for the reply ,what does it meany by "Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled) " in the link you provided under section
Tunnel-all means there is no split tunnel ,all traffic are go through the tunnel , so what does it mean by "Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)" , How is that possible with tunnel-all and split tunnel together
and what is
split-tunnel-all-dns disable
Thanks
03-08-2020 01:50 AM
here you go this will help you to understand the question you asked here
03-09-2020 11:19 PM
Hi,
Read the document carefully, it's simply to understand. You have the following options:
- use split-dns, establish the AnyConnect session, launch NSLookup, query internal domains and external domains, and see if the resolutions performs as expected (internal DNS queries for configured domains goes through the tunnel, everything else goes through the physical interface)
- don't use split-dns, leave it to default and do the same tests
Regards,
Cristian Matei.
03-10-2020 08:24 AM
Hi
i tested with split dns and without split dns
but it does not working . i think nslookup behave in a different way
Thank
03-10-2020 09:40 AM - edited 03-10-2020 09:40 AM
Hi,
For me, it worked each time i needed, it was just a matter of running 2-3 version of AnyConnect. With each of the mentions options, which DNS query does not go where you want, in or outside the tunnel, for which domains, your own or Internet? Does all your DNS traffic go in the tunnel, or outside the tunnel?
Regards,
Cristian Matei.
03-10-2020 11:42 AM
Hi,
I removed split-dns ,
then my a.test.com resolved (a test.com has both private and public ip address ), this worked
then my b.test.com did not resolved ,b.test.com has only private ip , it does not have public ip),
this b.test.com can only resolve using our locally hosted dns server(192.168.1.1)
added split-dns , all test.com (private and public ) not resolving
Is it possible to see the dns traffic in wireshark ?
03-10-2020 12:13 PM
yes if you connect to anyconnect module in your laptop and capture the traffic. yes.
03-10-2020 12:18 PM
Hi,
And how exactly do you expect b.test.com to be resolved through the VPN tunnel via the DNS server of 192.168.1.1, if you have 192.168.100.1 configured as your DNS server in the group-policy for VPN?
Regards,
Cristian Matei.
03-10-2020 12:42 PM
Hi,
Sorry it was typo, the dns server 192.168.100.1
Thanks
03-11-2020 03:51 PM
Hi,
You've lost me. Anyways, Make sure that the DNS server configured for VPN users can resolve everything, and this way you get an easy fix.
Regards,
Cristian Matei.
03-10-2020 11:23 AM
upload your firewall configuration.
03-09-2020 11:23 AM
03-09-2020 11:55 AM
yes anyconnect version 4.8 and ASA 9.8.4 or 9.13.
03-09-2020 01:28 PM
03-09-2020 02:01 PM
9.2 is fine upgrade the anyconnect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: