Assigning >2 DNS servers to VPN clients

support.edm · ‎09-23-2008

It seems like I can only assign 2 DNS servers to VPN clients using the "dns-server" command in config-group-policy? How do I go about assigning more than 2?

what exactly does dns server-group do? Can I use that command to assign dns servers to vpn clients since I can add more than 2 dns servers?

support.edm · ‎09-23-2008

ciscoasa# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password c.LHJMlCqC0Qvrsf encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address extip 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.17.193.100 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot config disk0:/exit

ftp mode passive

clock timezone mst -7

clock summer-time mdt recurring

dns domain-lookup inside

dns server-group TA-UAT

name-server 44.44.44.102

domain-name ta.corp.adds

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inbound_on_outside extended permit icmp any any

access-list inbound_on_outside extended permit tcp any host extip eq 5555

access-list inbound_on_outside extended permit tcp any host extip eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 44.44.44.0 255.255.255.0

nat (inside) 1 172.17.193.0 255.255.255.0

static (inside,outside) tcp extip 5555 172.17.193.96 5555 netmask 255.255.255.255

static (inside,outside) tcp extip www 172.17.193.1 www netmask 255.255.255.255

access-group inbound_on_outside in interface outside

route outside 0.0.0.0 0.0.0.0 extip 1

route inside 44.44.44.0 255.255.255.0 172.17.193.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 172.17.193.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

support.edm · ‎09-23-2008

telnet timeout 5

ssh 172.17.193.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 172.17.193.201-172.17.193.254 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.128.5.210 source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username raghuveer.paidikondala password me68HWW/zVOxmtzv encrypted

username raghuveer.paidikondala attributes