Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4205
  • Last Modified:

Cisco ASA VPN DNS Resolution

We just started using the Cisco VPN client through a Cisco ASA.  I set the DNS Server address up in the DHCP Pool but they are not being handed out to the client.   Our internal DNS does all of our DNS Handling.   VPN Users can connect but they cannot ping by name.  In this same vein I want users to be able to connect to the VPN without losing their internet access so is there a way to handle that as well?
0
blackfox_01
Asked:
blackfox_01
  • 5
  • 4
1 Solution
 
Britt ThompsonSr. Systems EngineerCommented:
Make sure your DHCP pool is not on the same subnet as your internal subnet.

Your relevant VPN info should be similar to this...the internal subnet in this case is 192.168.0.0 and 192.168.0.4 is the DNS server inside. Also, you'll need to append the domain suffix

access-list splitvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec
 pfs disable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitvpn
 default-domain value domain.local
username vpnuser password vpnpassword
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool VPNPool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
0
 
blackfox_01Author Commented:
Ok I went through the config and I can match some of this stuff up with what is set there.  But it looks like the split DNS is not setup.   I manage these from the ASDM software for the most part and I found an issue where the vpngroup had hard coded DNS servers setup but these servers were not active.   If I set these to inherit from the DHCP policy would that pick up the DNS addresses set on the ASA?
0
 
Britt ThompsonSr. Systems EngineerCommented:
The VPN clients get their addresses from the "ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0" and not from the internal DHCP or DHCP on the ASA. The DNS servers need to be hard coded in the VPN group settings before it'll actually work.

The ADSM actually makes this more difficult than it really is but you can get to the command line from within the GUI. If you go to the command line and enter this it will allow you to add your DNS server and default domain:

group-policy vpngroup attributes
dns-server value 192.168.0.4
default-domain value domain.local

Obviously swapping your info for what's shown.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
blackfox_01Author Commented:
Can you help me to understand how the split tunnelling works?  This will make it easier for me to understand the settings.  
0
 
Britt ThompsonSr. Systems EngineerCommented:
The split tunnel just allows the VPN subnet to access the lan and wan interface simultaneously while connected to the VPN. It's less secure because it opens up the VPN subnet to the internet without blocking any traffic out for them.
0
 
blackfox_01Author Commented:
Ok so essentially it means that any logged on VPN user pc would be accessible through the firewall if someone hacked through.   What I am thinking that I need to solve is the issue where when logged in via the vpn client all the users traffic has to go to the vpn and then back through the firewall.  I would rather have the traffic just make its connection direct and only route traffic to the vpn through the firewall.  Is this the only way to accomplish this?  
0
 
Britt ThompsonSr. Systems EngineerCommented:
If you want to avoid the security risks with using split tunneling there is an option in the setup of the vpn profile on the client that allows access to the local network...this should allow them to be connected to the vpn and have internet access at the same time.
0
 
blackfox_01Author Commented:
Is that what that check box is for?   Our consultant told us to check it but did not explain the significance.   Ok I have that checked as well on all my clients so I will test tonight and see if that fixes my problems.    Thank you for the help.
0
 
Britt ThompsonSr. Systems EngineerCommented:
that's what the checkbox is for...you're welcome.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now