polaris101
asked on
HELP! Split DNS Issue on Cisco ASA
Hi Experts,
I have remote users that need to able to connect to the VPN and resolve DNS names of local resources and need to be able to continue to browse the Internet. So, I enabled split tunnel and used the split-dns command. From what I understood if I used the split dns command and specified the dns names, the end user would use their local DNS server (from their home ISP, etc.) except for the domains I specified in the split-dns command.
What am I missing here? They should use the corporate DNS server for "chart.com" and "myinternaldomain.local". Besides that, they should use their own DNS server.
I have remote users that need to able to connect to the VPN and resolve DNS names of local resources and need to be able to continue to browse the Internet. So, I enabled split tunnel and used the split-dns command. From what I understood if I used the split dns command and specified the dns names, the end user would use their local DNS server (from their home ISP, etc.) except for the domains I specified in the split-dns command.
What am I missing here? They should use the corporate DNS server for "chart.com" and "myinternaldomain.local". Besides that, they should use their own DNS server.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name myinternaldomain.local
enable password ncTf.ZRVCtlbr/qM encrypted
passwd ncTf.ZRVCtlbr/qM encrypted
names
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name 10.10.10.250 Company-VS2_10.10.10.250
name WW.XX.YY.ZZ PublicFiOS_WW.XX.YY.ZZ
name WW.XX.YY.ZZ4 PublicFiOS_WW.XX.YY.ZZ4 description Used for OpenVPN SSLconnections
name 10.10.10.200 Desktop_10.10.10.200
name 10.10.10.199 Desktop_10.10.10.199
name WW.XX.YY.ZZ2 PublicFiOS_WW.XX.YY.ZZ2
name WW.XX.YY.ZZ DataCenter_ASA5505_WW.XX.YY.ZZ
name 172.16.16.0 DataCenter_Network_172.16.16.0
name 10.10.10.151 DevBox_10.10.10.151
name 10.10.10.198 Desktop_10.10.10.198
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name WW.XX.YY.ZZ FTP_WW.XX.YY.ZZ
name 10.10.10.245 SharePoint_10.10.10.245
name 10.10.10.149 DevBox2_10.10.10.149
name 10.10.10.148 UpdoxStaging_10.10.10.148
name WW.XX.YY.ZZ Home_WW.XX.YY.ZZ
name WW.XX.YY.ZZ UpdoxQA_WW.XX.YY.ZZ
name WW.XX.YY.ZZ MikeTHome_WW.XX.YY.ZZ
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/7
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address PublicFiOS_WW.XX.YY.ZZ2 255.255.255.0
!
interface Vlan3
nameif CompanyGuestVlan
security-level 50
ip address 10.10.12.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name myinternaldomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network FTP_IPs
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
object-group service FTP_Ports tcp
port-object range 60000 60050
port-object eq 990
object-group service DM_INLINE_TCP_1 tcp
port-object eq 4555
port-object eq 4556
port-object eq 4557
port-object eq 4558
port-object eq 60443
port-object eq 4559
object-group network DM_INLINE_NETWORK_1
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
network-object host FTP_WW.XX.YY.ZZ
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq 8172
object-group network DM_INLINE_NETWORK_2
network-object host Home_WW.XX.YY.ZZ
network-object host UpdoxQA_WW.XX.YY.ZZ
network-object host MikeTHome_WW.XX.YY.ZZ
access-list outside_access extended permit tcp any host PublicFiOS_WW.XX.YY.ZZ4
access-list outside_access remark FTP Connection
access-list outside_access extended permit tcp object-group DM_INLINE_NETWORK_1 host PublicFiOS_WW.XX.YY.ZZ object-group FTP_Ports
access-list outside_access extended permit tcp any host PublicFiOS_WW.XX.YY.ZZ2 object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp object-group DM_INLINE_NETWORK_2 host PublicFiOS_WW.XX.YY.ZZ2 object-group DM_INLINE_TCP_2
access-list outside_access extended permit tcp any host PublicFiOS_WW.XX.YY.ZZ4 eq 4560
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 DataCenter_Network_172.16.16.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.11.0 255.255.255.0 DataCenter_Network_172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 DataCenter_Network_172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 DataCenter_Network_172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip DataCenter_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list CompanyRAGroup_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list CompanyRAGroup_splitTunnelAcl standard permit DataCenter_Network_172.16.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
logging host inside Desktop_10.10.10.199
mtu inside 1500
mtu outside 1500
mtu CompanyGuestVlan 1500
ip local pool CompanyVPNPool 10.10.11.1-10.10.11.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (CompanyGuestVlan) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4556 Desktop_10.10.10.199 4556 netmask 255.255.255.255
static (inside,outside) tcp interface 4555 Desktop_10.10.10.200 4555 netmask 255.255.255.255
static (inside,outside) tcp interface 4558 Desktop_10.10.10.198 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4557 DevBox_10.10.10.151 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 60443 SharePoint_10.10.10.245 60443 netmask 255.255.255.255
static (inside,outside) tcp interface https UpdoxStaging_10.10.10.148 https netmask 255.255.255.255
static (inside,outside) tcp interface www UpdoxStaging_10.10.10.148 www netmask 255.255.255.255
static (inside,outside) tcp interface 8172 UpdoxStaging_10.10.10.148 8172 netmask 255.255.255.255
static (outside,outside) 10.10.11.0 10.10.11.0 netmask 255.255.255.0
static (inside,outside) PublicFiOS_WW.XX.YY.ZZ Company-VS2_10.10.10.250 netmask 255.255.255.255
static (inside,outside) PublicFiOS_WW.XX.YY.ZZ4 DevBox2_10.10.10.149 netmask 255.255.255.255
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 WW.XX.YY.ZZ 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server myinternaldomain protocol ldap
aaa-server myinternaldomain (inside) host 10.10.10.240
server-port 389
ldap-base-dn DC=myinternaldomain,DC=LOCAL
ldap-group-base-dn DC=myinternaldomain,DC=LOCAL
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator, CN=Users, DC=myinternaldomain,DC=LOCAL
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer WW.XX.YY.ZZ
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.10.10-10.10.10.150 inside
dhcpd dns 10.10.10.240 interface inside
dhcpd domain myinternaldomain.local interface inside
dhcpd enable inside
!
dhcpd address 10.10.12.50-10.10.12.100 CompanyGuestVlan
dhcpd dns 8.8.8.8 8.8.4.4 interface CompanyGuestVlan
dhcpd lease 86400 interface CompanyGuestVlan
dhcpd enable CompanyGuestVlan
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CompanyRAGroup internal
group-policy CompanyRAGroup attributes
dns-server value 10.10.10.240
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CompanyRAGroup_splitTunnelAcl
default-domain value myinternaldomain.local
split-dns value chart.com myinternaldomain.local
tunnel-group WW.XX.YY.ZZ type ipsec-l2l
tunnel-group WW.XX.YY.ZZ ipsec-attributes
pre-shared-key *****
tunnel-group CompanyRAGroup type remote-access
tunnel-group CompanyRAGroup general-attributes
address-pool CompanyVPNPool
authentication-server-group myinternaldomain
default-group-policy CompanyRAGroup
tunnel-group CompanyRAGroup ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c029e695c3ab2f5c25815d904138f486
: endASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ArneLovius
Which VPN client are you using, and on what client operating system ?
ASKER
This was the answer, once I changed the binding order performance improved immediately.