Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
2
Replies

EazyVPN on ASA5505 and split-dns

ingamewes
Level 1
Level 1

‎07-13-2009 05:06 AM - edited ‎02-21-2020 03:33 AM

We have an ASA 5505 (Software Version 8.2(1)) configured as an Easy VPN Client, the other side (3000 Conncentrator) pushes a dns-server and some split domains onto the ASA.

Sadly split-dns is not working correctly, i.e it looks like our ASA sends all dns traffic down the tunnel.

Any ideas how to get rid of this behaviour?

0 Helpful
2 Replies 2

srue
Level 7
Level 7

‎07-13-2009 05:30 AM

..not without seeing your configs.

0 Helpful

ingamewes
Level 1
Level 1
In response to srue

‎07-13-2009 05:34 AM

sadly i just can provide our site of the config:

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.45.250 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list ACL-OUTSIDE extended permit icmp any any

access-list ACL-OUTSIDE extended permit udp any any eq domain

access-list dnstraffic extended permit udp any any eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACL-OUTSIDE in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server ip.add.re.ss

vpnclient mode client-mode

vpnclient vpngroup secret password ********

vpnclient username supersecret password ********

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card