Cisco ASA VPN DNS Resolution

Make sure your DHCP pool is not on the same subnet as your internal subnet.

Your relevant VPN info should be similar to this...the internal subnet in this case is 192.168.0.0 and 192.168.0.4 is the DNS server inside. Also, you'll need to append the domain suffix

access-list splitvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec
 pfs disable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitvpn
 default-domain value domain.local
username vpnuser password vpnpassword
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool VPNPool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *

Ok I went through the config and I can match some of this stuff up with what is set there.  But it looks like the split DNS is not setup.   I manage these from the ASDM software for the most part and I found an issue where the vpngroup had hard coded DNS servers setup but these servers were not active.   If I set these to inherit from the DHCP policy would that pick up the DNS addresses set on the ASA?

The VPN clients get their addresses from the "ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0" and not from the internal DHCP or DHCP on the ASA. The DNS servers need to be hard coded in the VPN group settings before it'll actually work.

The ADSM actually makes this more difficult than it really is but you can get to the command line from within the GUI. If you go to the command line and enter this it will allow you to add your DNS server and default domain:

group-policy vpngroup attributes
dns-server value 192.168.0.4
default-domain value domain.local

Obviously swapping your info for what's shown.

Can you help me to understand how the split tunnelling works?  This will make it easier for me to understand the settings.  

The split tunnel just allows the VPN subnet to access the lan and wan interface simultaneously while connected to the VPN. It's less secure because it opens up the VPN subnet to the internet without blocking any traffic out for them.

Ok so essentially it means that any logged on VPN user pc would be accessible through the firewall if someone hacked through.   What I am thinking that I need to solve is the issue where when logged in via the vpn client all the users traffic has to go to the vpn and then back through the firewall.  I would rather have the traffic just make its connection direct and only route traffic to the vpn through the firewall.  Is this the only way to accomplish this?  

Is that what that check box is for?   Our consultant told us to check it but did not explain the significance.   Ok I have that checked as well on all my clients so I will test tonight and see if that fixes my problems.    Thank you for the help.

that's what the checkbox is for...you're welcome.