Solved

Cisco VPN w/Vista and Split DNS

Posted on 2009-05-06
2
1,992 Views
Last Modified: 2012-05-06
I have a Cisco ASA running with 8.x code. I have a user using a wireless CDMA card with Vista that VPNs in the network with the Cisco IPSec VPN client. I also have split tunneling enabled. When the users connects, they are assigned a DNS server that is the company's internal server. However, when I perform an NSLookup, I am somehow using the external DNS server.

access-list XYZ_VPN_splitTunnelAcl permit ip object-group Internal_Net any
vpngroup XYZ_VPN dns-server 172.16.xxx.11 172.16.xxx.10
vpngroup XYZ_VPN wins-server 172.16.xxx.10 172.16.xxx.11
vpngroup XYZ_VPN default-domain xyz.com
vpngroup XYZ_VPN split-tunnel XYZ_VPN_splitTunnelAcl
vpngroup XYZ_VPN split-dns xyz.com

From the Vista PC (IPConfig)
 Connection-specific DNS Suffix  . : xyz.com
  DNS Servers . . . . . . . . . . . : 172.16.xxx.11
                                                172.16.xxx.10

C:\>nslookup
Default Server:  ns1.kscymar06.spcsdns.net
Address:  68.28.82.91
 
> www.google.com
Server:  www.google.com.xyz.com
Address:  205.178.152.103
 
Non-authoritative answer:
Name:    nslookup.xyz.com
Address:  205.178.152.103
 
So there is the DNS query going to DNS server bypassing their VPN.  Next I changed the default DNS server to their DNS server.
 
> server 172.16.xxx.11
Default Server:  [172.16.xxx.11]
Address:  172.16.xxx.11
 
Now DNS queries hit their DNS server.  Here are the responses I received.
 
> nslookup www.google.com
Server:  www.l.google.com
Addresses:  74.125.127.147
          74.125.127.99
          74.125.127.104
          74.125.127.103
Aliases:  www.google.com

Is this a Vista issue, a split tunneling issue, VPN Client issue, or something else?
0
Comment
Question by:Swami_Newport
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 24332334
>vpngroup XYZ_VPN split-dns xyz.com
You are doing split-dns, so the only time the client uses the 172.16.xx.11 dns server is to resolve host.xyz.com
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now