VPN using split tunneling and DNS.

ohforce55 · ‎12-20-2017

Hi,

I just set up a firewall for vpn and it has split tunneling enabled.

Anything that is going to the network in the standard list does pass thru the VPN.

Anything else (ex Internet) not in the acl doesn't pass thru the VPN.

That's the purpose of having the split tunneling.

The problem is DNS.

Please see the dns server IP (10.13.18.12) I configured in the asa below.

fasa5585-60x/act#

sh run group-policy
group-policy Internal-NV-Group internal
group-policy Internal-NV-Group attributes
wins-server none
dns-server value 10.13.18.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Networks
split-dns value xxx.com xxx.com
split-tunnel-all-dns disable
webvpn
anyconnect profiles value InternalVPN_NV type user
fasa5585-60x/act#

This is the DNS server for my physical adapter.

ipconfig /all

Ethernet adapter Ethernet:

DNS Servers . . . . . . . . . . . : 10.14.18.13
172.27.200.4

When I use the same DNS server in the firewall, I can't resolve any server name or can't get to the Internet but if I use different DNS server in the ASA, it works.

Why is that?

I have another firewalls (no split tunneling) using the same DNS server as the local uses but it works fine.

I think this is regarding split tunneling and DNS.

I will appreciate if you tell me the answer!

Thank you!

zaheer.jahangir1 · ‎12-21-2017

Please share your Split-tunnel configuration for the ACL, also the IP that you are using is it actually a DNS server and if yes ask the systems team if they are having a trust relationship between them, secondly if you are doing split=tunnel I guess your DNS be of the same subnet for those ACL ip's

ohforce55 · ‎12-21-2017

Hi,

Thank you for your comment.

Yes, I'm using the right IP for dns server.

So the DNS server IPs that I tried on the firewall were 10.14.18.14 and 10.13.18.12.

And those two IPs address worked. But not 172.27.200.4.

Here is the config for the split tunneling.

access-list Networks standard permit 10.13.0.0 255.255.0.0
access-list Networks standard permit 10.14.0.0 255.255.0.0
access-list Networks standard permit 10.17.0.0 255.255.0.0
access-list Networks standard permit 65.211.196.0 255.255.252.0
access-list Networks standard permit 65.192.80.0 255.255.252.0
access-list Networks standard permit 65.206.116.0 255.255.252.0

enc-wups-agg-fasa5585-60x/act# sh run group-policy
group-policy Internal-NV-Group internal
group-policy Internal-NV-Group attributes
wins-server none
dns-server value 10.13.18.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Networks
split-dns value xxxx.com xxxx.com
split-tunnel-all-dns disable
webvpn
anyconnect profiles value InternalVPN_NV type user
enc-wups-agg-fasa5585-60x/act#

So as I mentioned, if I used the same DNS server IP that my physical adapter uses, it doens't work but when using different IP, it works...

Is it something related with split tunneling? Because I have another firewall not using the split tunneling and it uses the same dns server IPs but there is no any issue.

Nayan.Patel85 · ‎05-08-2020

Not sure if you have already resolved this problem or not but based on your split tunnel config you have split-tunnel-all-dns disabled - which means "Client will resolve DNS queries depending on the split-tunnel and
split-dns policies" at the same time you are using ACL to specify which IP Address should be send through tunnel. Since 172.X.X.X address is not being allowed to go through tunnel it will try to send it via you LAN, so if 172.X.X.X server is not reachable via your ethernet adapter IP address (before connecting to VPN) then it will not be able to resolve the dns.