Solved

Cisco ASA VPN DNS Resolution

Posted on 2009-05-05
9
4,167 Views
Last Modified: 2012-06-27
We just started using the Cisco VPN client through a Cisco ASA.  I set the DNS Server address up in the DHCP Pool but they are not being handed out to the client.   Our internal DNS does all of our DNS Handling.   VPN Users can connect but they cannot ping by name.  In this same vein I want users to be able to connect to the VPN without losing their internet access so is there a way to handle that as well?
0
Comment
Question by:blackfox_01
  • 5
  • 4
9 Comments
 
LVL 30

Expert Comment

by:renazonse
ID: 24306122
Make sure your DHCP pool is not on the same subnet as your internal subnet.

Your relevant VPN info should be similar to this...the internal subnet in this case is 192.168.0.0 and 192.168.0.4 is the DNS server inside. Also, you'll need to append the domain suffix

access-list splitvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec
 pfs disable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitvpn
 default-domain value domain.local
username vpnuser password vpnpassword
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool VPNPool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24307934
Ok I went through the config and I can match some of this stuff up with what is set there.  But it looks like the split DNS is not setup.   I manage these from the ASDM software for the most part and I found an issue where the vpngroup had hard coded DNS servers setup but these servers were not active.   If I set these to inherit from the DHCP policy would that pick up the DNS addresses set on the ASA?
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24308085
The VPN clients get their addresses from the "ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0" and not from the internal DHCP or DHCP on the ASA. The DNS servers need to be hard coded in the VPN group settings before it'll actually work.

The ADSM actually makes this more difficult than it really is but you can get to the command line from within the GUI. If you go to the command line and enter this it will allow you to add your DNS server and default domain:

group-policy vpngroup attributes
dns-server value 192.168.0.4
default-domain value domain.local

Obviously swapping your info for what's shown.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24329849
Can you help me to understand how the split tunnelling works?  This will make it easier for me to understand the settings.  
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 30

Expert Comment

by:renazonse
ID: 24329979
The split tunnel just allows the VPN subnet to access the lan and wan interface simultaneously while connected to the VPN. It's less secure because it opens up the VPN subnet to the internet without blocking any traffic out for them.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330028
Ok so essentially it means that any logged on VPN user pc would be accessible through the firewall if someone hacked through.   What I am thinking that I need to solve is the issue where when logged in via the vpn client all the users traffic has to go to the vpn and then back through the firewall.  I would rather have the traffic just make its connection direct and only route traffic to the vpn through the firewall.  Is this the only way to accomplish this?  
0
 
LVL 30

Accepted Solution

by:
renazonse earned 250 total points
ID: 24330105
If you want to avoid the security risks with using split tunneling there is an option in the setup of the vpn profile on the client that allows access to the local network...this should allow them to be connected to the vpn and have internet access at the same time.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330445
Is that what that check box is for?   Our consultant told us to check it but did not explain the significance.   Ok I have that checked as well on all my clients so I will test tonight and see if that fixes my problems.    Thank you for the help.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24330577
that's what the checkbox is for...you're welcome.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now