cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
2
Replies

EazyVPN on ASA5505 and split-dns

ingamewes
Level 1
Level 1

We have an ASA 5505 (Software Version 8.2(1)) configured as an Easy VPN Client, the other side (3000 Conncentrator) pushes a dns-server and some split domains onto the ASA.

Sadly split-dns is not working correctly, i.e it looks like our ASA sends all dns traffic down the tunnel.

Any ideas how to get rid of this behaviour?

2 Replies 2

srue
Level 7
Level 7

..not without seeing your configs.

sadly i just can provide our site of the config:

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.45.250 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list ACL-OUTSIDE extended permit icmp any any

access-list ACL-OUTSIDE extended permit udp any any eq domain

access-list dnstraffic extended permit udp any any eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACL-OUTSIDE in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server ip.add.re.ss

vpnclient mode client-mode

vpnclient vpngroup secret password ********

vpnclient username supersecret password ********

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: