Solved

Cisco ASA VPN DNS Resolution

Posted on 2009-05-05
9
4,179 Views
Last Modified: 2012-06-27
We just started using the Cisco VPN client through a Cisco ASA.  I set the DNS Server address up in the DHCP Pool but they are not being handed out to the client.   Our internal DNS does all of our DNS Handling.   VPN Users can connect but they cannot ping by name.  In this same vein I want users to be able to connect to the VPN without losing their internet access so is there a way to handle that as well?
0
Comment
Question by:blackfox_01
  • 5
  • 4
9 Comments
 
LVL 30

Expert Comment

by:renazonse
ID: 24306122
Make sure your DHCP pool is not on the same subnet as your internal subnet.

Your relevant VPN info should be similar to this...the internal subnet in this case is 192.168.0.0 and 192.168.0.4 is the DNS server inside. Also, you'll need to append the domain suffix

access-list splitvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec
 pfs disable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitvpn
 default-domain value domain.local
username vpnuser password vpnpassword
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool VPNPool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24307934
Ok I went through the config and I can match some of this stuff up with what is set there.  But it looks like the split DNS is not setup.   I manage these from the ASDM software for the most part and I found an issue where the vpngroup had hard coded DNS servers setup but these servers were not active.   If I set these to inherit from the DHCP policy would that pick up the DNS addresses set on the ASA?
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24308085
The VPN clients get their addresses from the "ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0" and not from the internal DHCP or DHCP on the ASA. The DNS servers need to be hard coded in the VPN group settings before it'll actually work.

The ADSM actually makes this more difficult than it really is but you can get to the command line from within the GUI. If you go to the command line and enter this it will allow you to add your DNS server and default domain:

group-policy vpngroup attributes
dns-server value 192.168.0.4
default-domain value domain.local

Obviously swapping your info for what's shown.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:blackfox_01
ID: 24329849
Can you help me to understand how the split tunnelling works?  This will make it easier for me to understand the settings.  
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24329979
The split tunnel just allows the VPN subnet to access the lan and wan interface simultaneously while connected to the VPN. It's less secure because it opens up the VPN subnet to the internet without blocking any traffic out for them.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330028
Ok so essentially it means that any logged on VPN user pc would be accessible through the firewall if someone hacked through.   What I am thinking that I need to solve is the issue where when logged in via the vpn client all the users traffic has to go to the vpn and then back through the firewall.  I would rather have the traffic just make its connection direct and only route traffic to the vpn through the firewall.  Is this the only way to accomplish this?  
0
 
LVL 30

Accepted Solution

by:
renazonse earned 250 total points
ID: 24330105
If you want to avoid the security risks with using split tunneling there is an option in the setup of the vpn profile on the client that allows access to the local network...this should allow them to be connected to the vpn and have internet access at the same time.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330445
Is that what that check box is for?   Our consultant told us to check it but did not explain the significance.   Ok I have that checked as well on all my clients so I will test tonight and see if that fixes my problems.    Thank you for the help.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24330577
that's what the checkbox is for...you're welcome.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Line cards, Supervisor, Control plane 7 37
Load Balancing 3 29
No Wireless Networks Visible In Windows 10 7 52
Setting up L2TP/IPsec in RRAS 5 17
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question