Multiple domain suffixes for VPN clients

Unanswered Question
Mar 5th, 2008

Is it possible to have multiple domain suffixes passed to Cisco VPN clients from an ASA VPN head? default-domain in the group policy adds our domain correctly to the search order, but we have multiple domains we need added. If we connect, then manually add the desired suffix to the search list, we can successfully ping/navigate by UNC shortname (host1 instead of We'd really like that not to be the method, though, as you can imagine.

Thanks for any assistance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
bwilmoth Tue, 03/11/2008 - 11:34

you can enable is split tunnel configuration and split DNS names under

Configuration | User Management | Groups | Modify

Split Tunneling Policy

*Only tunnel networks in the list

*Split Tunneling Network List

Split DNS Names

Enter the set of domains, separated by commas without spaces, to be resolved through the Split Tunnel. The Default Domain Name must be explicitly included in Split DNS Names list if it is to be resolved through the tunnel.

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names, while ISP-assigned DNS servers resolve all other DNS requests. It is used in split-tunneling connections; the internal DNS server resolves the domain names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests that travel in the clear to the Internet.

The VPN Concentrator does not support split-DNS for Microsoft VPN Clients; however, it does support split DNS for the Cisco VPN Client operating on Microsoft Windows operating systems.

torex-hiscom Tue, 12/21/2010 - 05:48

Actually the DNS list in Split Tunneling is not used as a suffix search list. It is only for the decision to search through the tunnel or outside the tunnel, but you still need to use the FQDN in the search. It doesn't resolve when you search only by a hostname which belongs to another domain than the default domain name. I still haven't found a solution for this, unfortunately.


Albert Bruggeman

Sr.Technical Consultant



This Discussion