11-14-2007 08:24 AM - edited 03-11-2019 04:31 AM
We have an ASA5510 with Windows VPN Clients (current stable version) connecting to it. I set up split DNS to force the clients to lookup the internal domains with the nameserver on our network.
Split DNS Config as follows:
group-policy VPN attributes
dns-server value 192.168.0.196
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value myinternaldomain.de
split-dns value myinternaldomain.de myinternaldomain2.de
Now when after connecting the clients make nslookups (on Windows XP), the internal names are looked up in no time.
When a public name like google.de is being looked up, nslookup runs into a timeout like this and finally answer the query.
> google.de
Server: [192.168.1.3]
Address: 192.168.1.3
DNS request timed out.
timeout was 2 seconds.
Nicht autorisierte Antwort:
Name: google.de
Addresses: 216.239.59.104, 72.14.221.104, 66.249.93.104
The tunnel traffic policy is simple:
access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0
access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0
Using the MacOS Cisco VPN client, the problem doesn't exist!
The Setup has been tested on all different kinds of networks, wireless, DSL, anything. The issue is not limited to one computer only.
Thanks for your help
-chris
11-20-2007 12:54 PM
You have to split. If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server.
For more information on Configuring Split and Dynamic DNS on the Cisco VPN, refer to these documents
11-20-2007 01:15 PM
As can be seen in the config I posted, we DO split:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0
access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0
All our traces show that splitting works just fine, the ISP nameserver can be contacted, only lookups take forever.
I figure this is a bug in the Windows version of the VPN client (I tried several versions), and does not occur AT ALL in the Mac version of the VPN client.
For now the problem is solved by not using split DNS and having everyone use the internal DNS to resolve all names - internal and public. This incurs a performace hit, of of course.
02-04-2008 03:39 PM
Nobody else having this problem? Can't be...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: