Remote IPSEC VPN to iPhone to ASA5500 DNS issue

Unanswered Question
Aug 9th, 2010
User Badges:


Our oganisation is having an issue with remote access ipsec vpns from iphones to a ASA firewall. Currently we are able to intiate a VPN and get IP connectivity through the VPN. However we are unable to resolve dns using the internal dns servers. We need this so we can resolve  intranet.companyname.local.

I have seen posts in forums mentioning the following but I have been unable to confiirm -

- Apple reserve .local so anything on this domain won't resolve

- Internal DNS won't work on the iPhone cisco VPN client

- There is a bug in version 4 with the Cisco VPN

While troubleshooting I turned on split tunneling and split DNS and can browse to the internet while this is enabled but not to internal sites.

The DNS servers are pingable from the iPhone it just seems it does not use internal DNS servers even though  they are in the group policy.

group-policy iPhone attributes
dns-server value 10.x.x.x 10x.x.x

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall
default-domain value companyname.local
split-dns value companyname.local


-  iPhone3  version 4.X

-  ASA 5520 running  8.2(1)

We would like to tunnel everything ( no split tunneling ) and resolve DNS from our interneral servers once the VPN is enabled from the iPhone. This way we can browse to our internal servers.  Any suggestion/answers or similar issues?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paul Carco Fri, 08/13/2010 - 13:26
User Badges:

Are other Clients able to connect to the same connection-profile(aka tunnel-group) and group-policy?

if not do you have the following defined

dns domain-lookup Inside

I have this working with all the same versions you listed.  If you post the entire config - I may be able to spot something.

manish arora Fri, 08/13/2010 - 18:12
User Badges:
  • Silver, 250 points or more

I have similar setup working fine with iphone3 , 4 & ipad. The only difference that i see between your group policy attributes and mine are :- \

I do not have "split dns ---- command " and have the address pool mentioned for the group. also i am not tunneling all of the traffic but just tunnelling my internal network traffic.

as suggested by Paul , please post configuration to see if we are missing something.



balajirajahpb Sat, 08/14/2010 - 08:47
User Badges:

Dear Dan,

Please make sure that IKE NAT-T is enabled to connect  from iPhone/iPad with inbuilt CISCO VPN client.

Remote Access VPN--> IKE Policies--> NAT-T


Balajirajah P B

danhosking Thu, 05/05/2011 - 19:05
User Badges:

I have confirmation this is the answer -

- Apple reserve .local so anything on this domain won't resolve


This Discussion