[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2000
  • Last Modified:

Cisco VPN w/Vista and Split DNS

I have a Cisco ASA running with 8.x code. I have a user using a wireless CDMA card with Vista that VPNs in the network with the Cisco IPSec VPN client. I also have split tunneling enabled. When the users connects, they are assigned a DNS server that is the company's internal server. However, when I perform an NSLookup, I am somehow using the external DNS server.

access-list XYZ_VPN_splitTunnelAcl permit ip object-group Internal_Net any
vpngroup XYZ_VPN dns-server 172.16.xxx.11 172.16.xxx.10
vpngroup XYZ_VPN wins-server 172.16.xxx.10 172.16.xxx.11
vpngroup XYZ_VPN default-domain xyz.com
vpngroup XYZ_VPN split-tunnel XYZ_VPN_splitTunnelAcl
vpngroup XYZ_VPN split-dns xyz.com

From the Vista PC (IPConfig)
 Connection-specific DNS Suffix  . : xyz.com
  DNS Servers . . . . . . . . . . . : 172.16.xxx.11

Default Server:  ns1.kscymar06.spcsdns.net
Server:  www.google.com.xyz.com
Non-authoritative answer:
Name:    nslookup.xyz.com
So there is the DNS query going to DNS server bypassing their VPN.  Next I changed the default DNS server to their DNS server.
> server 172.16.xxx.11
Default Server:  [172.16.xxx.11]
Address:  172.16.xxx.11
Now DNS queries hit their DNS server.  Here are the responses I received.
> nslookup www.google.com
Server:  www.l.google.com

Aliases:  www.google.com

Is this a Vista issue, a split tunneling issue, VPN Client issue, or something else?
1 Solution
>vpngroup XYZ_VPN split-dns xyz.com
You are doing split-dns, so the only time the client uses the 172.16.xx.11 dns server is to resolve host.xyz.com

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now