09-23-2008 09:10 AM - edited 02-21-2020 03:57 PM
It seems like I can only assign 2 DNS servers to VPN clients using the "dns-server" command in config-group-policy? How do I go about assigning more than 2?
what exactly does dns server-group do? Can I use that command to assign dns servers to vpn clients since I can add more than 2 dns servers?
09-23-2008 09:10 AM
ciscoasa# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password c.LHJMlCqC0Qvrsf encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address extip 255.255.255.240
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.17.193.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot config disk0:/exit
ftp mode passive
clock timezone mst -7
clock summer-time mdt recurring
dns domain-lookup inside
dns server-group TA-UAT
name-server 44.44.44.102
domain-name ta.corp.adds
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inbound_on_outside extended permit icmp any any
access-list inbound_on_outside extended permit tcp any host extip eq 5555
access-list inbound_on_outside extended permit tcp any host extip eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 44.44.44.0 255.255.255.0
nat (inside) 1 172.17.193.0 255.255.255.0
static (inside,outside) tcp extip 5555 172.17.193.96 5555 netmask 255.255.255.255
static (inside,outside) tcp extip www 172.17.193.1 www netmask 255.255.255.255
access-group inbound_on_outside in interface outside
route outside 0.0.0.0 0.0.0.0 extip 1
route inside 44.44.44.0 255.255.255.0 172.17.193.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http 172.17.193.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 3600
09-23-2008 09:10 AM
telnet timeout 5
ssh 172.17.193.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 172.17.193.201-172.17.193.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.128.5.210 source outside
group-policy vpnuserspolicy internal
group-policy vpnuserspolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value vpnuserspool
username raghuveer.paidikondala password me68HWW/zVOxmtzv encrypted
username raghuveer.paidikondala attributes
vpn-group-policy vpnuserspolicy
username admin password 3kZuWgFBc69Td5Jq encrypted privilege 15
username admin attributes
vpn-group-policy vpnuserspolicy
username daniel.cai password JrMX7V7eSO17SbFi encrypted
username daniel.cai attributes
vpn-group-policy vpnuserspolicy
username travel.alberta password W0aoTz1R7xCoeeKv encrypted
username travel.alberta attributes
vpn-group-policy vpnuserspolicy
username ryan.meria password skKhq.9Am1dc7XOH encrypted
username ryan.meria attributes
vpn-group-policy vpnuserspolicy
username kevin.xu password GFmYsWa3W7Ucye13 encrypted
username kevin.xu attributes
vpn-group-policy vpnuserspolicy
tunnel-group vpnusersgroup type remote-access
tunnel-group vpnusersgroup general-attributes
default-group-policy vpnuserspolicy
tunnel-group vpnusersgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d07d08be4373468636ff2b32dba277a6
: end
ciscoasa#
09-23-2008 11:09 AM
group-policy
dns-server value 1.2.3.4 5.6.7.8
Is that what you're asking?
09-23-2008 11:34 AM
well there were 2 questions :]
The command that you stated, it seems like it's only limited to 2 DNS servers.
How can I go about specifying more than two? That is why I'm wondering if "dns server-group" command will let me do this?
09-23-2008 12:37 PM
Sorry, read your post too quickly. I don't think the server-group command will help in this case.
09-23-2008 01:32 PM
what exactly does the server-gropu command do?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide