Solved

Cisco ASA VPN DNS Resolution

Posted on 2009-05-05
9
4,187 Views
Last Modified: 2012-06-27
We just started using the Cisco VPN client through a Cisco ASA.  I set the DNS Server address up in the DHCP Pool but they are not being handed out to the client.   Our internal DNS does all of our DNS Handling.   VPN Users can connect but they cannot ping by name.  In this same vein I want users to be able to connect to the VPN without losing their internet access so is there a way to handle that as well?
0
Comment
Question by:blackfox_01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306122
Make sure your DHCP pool is not on the same subnet as your internal subnet.

Your relevant VPN info should be similar to this...the internal subnet in this case is 192.168.0.0 and 192.168.0.4 is the DNS server inside. Also, you'll need to append the domain suffix

access-list splitvpn extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec
 pfs disable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitvpn
 default-domain value domain.local
username vpnuser password vpnpassword
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool VPNPool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24307934
Ok I went through the config and I can match some of this stuff up with what is set there.  But it looks like the split DNS is not setup.   I manage these from the ASDM software for the most part and I found an issue where the vpngroup had hard coded DNS servers setup but these servers were not active.   If I set these to inherit from the DHCP policy would that pick up the DNS addresses set on the ASA?
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24308085
The VPN clients get their addresses from the "ip local pool VPNPool 192.168.100.1-192.168.100.100 mask 255.255.255.0" and not from the internal DHCP or DHCP on the ASA. The DNS servers need to be hard coded in the VPN group settings before it'll actually work.

The ADSM actually makes this more difficult than it really is but you can get to the command line from within the GUI. If you go to the command line and enter this it will allow you to add your DNS server and default domain:

group-policy vpngroup attributes
dns-server value 192.168.0.4
default-domain value domain.local

Obviously swapping your info for what's shown.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:blackfox_01
ID: 24329849
Can you help me to understand how the split tunnelling works?  This will make it easier for me to understand the settings.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24329979
The split tunnel just allows the VPN subnet to access the lan and wan interface simultaneously while connected to the VPN. It's less secure because it opens up the VPN subnet to the internet without blocking any traffic out for them.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330028
Ok so essentially it means that any logged on VPN user pc would be accessible through the firewall if someone hacked through.   What I am thinking that I need to solve is the issue where when logged in via the vpn client all the users traffic has to go to the vpn and then back through the firewall.  I would rather have the traffic just make its connection direct and only route traffic to the vpn through the firewall.  Is this the only way to accomplish this?  
0
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 250 total points
ID: 24330105
If you want to avoid the security risks with using split tunneling there is an option in the setup of the vpn profile on the client that allows access to the local network...this should allow them to be connected to the vpn and have internet access at the same time.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 24330445
Is that what that check box is for?   Our consultant told us to check it but did not explain the significance.   Ok I have that checked as well on all my clients so I will test tonight and see if that fixes my problems.    Thank you for the help.
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24330577
that's what the checkbox is for...you're welcome.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static IP Address Assignment 10 73
UniFi MAC address filtering 2008 R2 13 95
Network over eigrp 100 topology ? 3 53
Copying out Cisco backups from SolarWinds 13 59
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question