Coming soon! Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.
Course Of The Month
6 days, 17 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Cisco ASA 5510 AnyConnect DNS issues.
Posted on 2014-01-23
Please bear with me. I've not had much hands on with ASA configuration etc...
I'm looking at setting up some users with an AnyConnect VPN connection and to then connect to our internally hosted Terminal Server farm.
The AnyConnect connection looks to be setup however when I establish a connection I cannot connect to any resources when using the DNS name. I can use the IP address OK and it resolves it fine.
I've seen a setting in the ASDM Connection Profiles VPN profile and within it under the DNS section its set to the Default DNS and the internal DNS servers are listed. However when I click on manage under the DNS Lookup section DNS Enabled is disabled on the outside interface.
I'm thinking that this is the issue. Would this be the case? What reason would it be disabled for?
Any help/advice would be great. Step by step via ASDM preferred.
Thanks,
Rich
I'm looking at setting up some users with an AnyConnect VPN connection and to then connect to our internally hosted Terminal Server farm.
The AnyConnect connection looks to be setup however when I establish a connection I cannot connect to any resources when using the DNS name. I can use the IP address OK and it resolves it fine.
I've seen a setting in the ASDM Connection Profiles VPN profile and within it under the DNS section its set to the Default DNS and the internal DNS servers are listed. However when I click on manage under the DNS Lookup section DNS Enabled is disabled on the outside interface.
I'm thinking that this is the issue. Would this be the case? What reason would it be disabled for?
Any help/advice would be great. Step by step via ASDM preferred.
Thanks,
Rich
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
- +1
6 Comments
Active 2 days ago
It seems as if 'Split Tunneling' is configured on your VPN group. Please forgive me as I do not work with our ASA and do not configure the VPN Groups so I do not have instructions on how to configure it but this would be the cause.
Split Tunneling allows the User to connect to your network and access resources, via IP, but also splits out the HTTP traffic from your browser to use your LOCAL internet connection. When this is set up, the VPN group is required to use IP addresses for access to network (VPN) resources - servers, printers, shares etc.
If you did not have split tunneling configured all internet traffic from the VPN connected machine would route through your office's ISP connection, which could cause delays with accessing sites etc depending on your office's speeds.
Split Tunneling allows the User to connect to your network and access resources, via IP, but also splits out the HTTP traffic from your browser to use your LOCAL internet connection. When this is set up, the VPN group is required to use IP addresses for access to network (VPN) resources - servers, printers, shares etc.
If you did not have split tunneling configured all internet traffic from the VPN connected machine would route through your office's ISP connection, which could cause delays with accessing sites etc depending on your office's speeds.
I want to make sure we are looking in the same location. Please follow the steps below to troubleshoot
1. Login to ASDM
2. Click on Configuration at the top of the screen
3. Click on "Remote Access VPN"
4. Expand "Network (Client) Access"
5. Click on "AnyConnect Connection Profiles"
6. Towards the bottom of your screen you will see a section for Connection Profiles. Highlight your connection profile and click on the "Edit" icon.
7. Towards the bottom of your screen you will see "DNS Servers:" Do you have any IP Addresses configured here? Also do you have a domain name configured in this box?
Now when the client connects you say that you are able to connect to devices via IP address but not DNS name correct? From a client connected to the VPN please perform the steps below.
1. Click Start
2. Type in "Command Prompt"
3. In a command prompt window type in "ipconfig /all"
4. Paste the results for review.
5. Try to perform a lookup via the nslookup command.
6. Type in "nslookup "name of device on your network"
7. Paste the results for review.
8. Finally try to ping the IP Address of your DNS server via the "ping" command.
Also can you let me know the subnet you are using on your local network before you connect to the VPN. For instance are you using 192.168.1.XXX in your home as well as 192.168.1.XXX at the office. or are they on different subnets? What about the DNS server is it on a similar network as your home network?
1. Login to ASDM
2. Click on Configuration at the top of the screen
3. Click on "Remote Access VPN"
4. Expand "Network (Client) Access"
5. Click on "AnyConnect Connection Profiles"
6. Towards the bottom of your screen you will see a section for Connection Profiles. Highlight your connection profile and click on the "Edit" icon.
7. Towards the bottom of your screen you will see "DNS Servers:" Do you have any IP Addresses configured here? Also do you have a domain name configured in this box?
Now when the client connects you say that you are able to connect to devices via IP address but not DNS name correct? From a client connected to the VPN please perform the steps below.
1. Click Start
2. Type in "Command Prompt"
3. In a command prompt window type in "ipconfig /all"
4. Paste the results for review.
5. Try to perform a lookup via the nslookup command.
6. Type in "nslookup "name of device on your network"
7. Paste the results for review.
8. Finally try to ping the IP Address of your DNS server via the "ping" command.
Also can you let me know the subnet you are using on your local network before you connect to the VPN. For instance are you using 192.168.1.XXX in your home as well as 192.168.1.XXX at the office. or are they on different subnets? What about the DNS server is it on a similar network as your home network?
First of all apologies for the late response. I was pulled away onto other things.
BigPapaGotti, I have had a look at your suggestion and from what I can see its possible that the vpn connection profile is using DfltGrpPolicy (System Default) and a DefaultWEBVPNGroup as its Default Group Policies.
Upon looking in this policy it has no reference to any DNS servers within either of them.
Could it be this that is the issue?
BigPapaGotti, I have had a look at your suggestion and from what I can see its possible that the vpn connection profile is using DfltGrpPolicy (System Default) and a DefaultWEBVPNGroup as its Default Group Policies.
Upon looking in this policy it has no reference to any DNS servers within either of them.
Could it be this that is the issue?
I have finally cracked it.
I did change the DfltGrpPolicy group policy which was being referenced and this has resolved the problems with DNS.
i am now able to connect and use DNS to connect to resources.
Happy Days!
I just need to sort out the AnyConnect licensing so I can then start to roll it out to users.
I did change the DfltGrpPolicy group policy which was being referenced and this has resolved the problems with DNS.
i am now able to connect and use DNS to connect to resources.
Happy Days!
I just need to sort out the AnyConnect licensing so I can then start to roll it out to users.
Featured Post
Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud (http://www.concertocloud.com/about/in-the-news/2017/02/0…
- Storage
- Concerto Cloud Services
- Cisco
- Analytics
- Cloud Computing
- Cloud Services, *CRM, *Virtual Private Cloud (VPC)
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month6 days, 17 hours left to enroll
Earn Certification
Cisco CCNP Security: SIMOS
$197.00$177.30
726 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.