Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3615
Views
0
Helpful
4
Replies

Remote IPSEC VPN to iPhone to ASA5500 DNS issue

danhosking
Level 1
Level 1

ā€Ž08-09-2010 11:24 PM - edited ā€Ž02-21-2020 04:47 PM

Hi,

Our oganisation is having an issue with remote access ipsec vpns from iphones to a ASA firewall. Currently we are able to intiate a VPN and get IP connectivity through the VPN. However we are unable to resolve dns using the internal dns servers. We need this so we can resolve  intranet.companyname.local.

I have seen posts in forums mentioning the following but I have been unable to confiirm -

- Apple reserve .local so anything on this domain won't resolve

- Internal DNS won't work on the iPhone cisco VPN client

- There is a bug in version 4 with the Cisco VPN

While troubleshooting I turned on split tunneling and split DNS and can browse to the internet while this is enabled but not to internal sites.

The DNS servers are pingable from the iPhone it just seems it does not use internal DNS servers even though  they are in the group policy.

group-policy iPhone attributes
dns-server value 10.x.x.x 10x.x.x

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall
default-domain value companyname.local
split-dns value companyname.local

Hardware

-  iPhone3  version 4.X

-  ASA 5520 running  8.2(1)

We would like to tunnel everything ( no split tunneling ) and resolve DNS from our interneral servers once the VPN is enabled from the iPhone. This way we can browse to our internal servers.  Any suggestion/answers or similar issues?

Labels:
0 Helpful
4 Replies 4

Paul Carco
Level 1
Level 1

ā€Ž08-13-2010 01:26 PM

Are other Clients able to connect to the same connection-profile(aka tunnel-group) and group-policy?

if not do you have the following defined

dns domain-lookup Inside

I have this working with all the same versions you listed.  If you post the entire config - I may be able to spot something.

0 Helpful

manish arora
Level 6
Level 6
In response to Paul Carco

ā€Ž08-13-2010 06:12 PM

I have similar setup working fine with iphone3 , 4 & ipad. The only difference that i see between your group policy attributes and mine are :- \

I do not have "split dns ---- command " and have the address pool mentioned for the group. also i am not tunneling all of the traffic but just tunnelling my internal network traffic.

as suggested by Paul , please post configuration to see if we are missing something.

Thanks

Manish

0 Helpful

balajirajahpb
Level 1
Level 1

ā€Ž08-14-2010 08:47 AM

Dear Dan,

Please make sure that IKE NAT-T is enabled to connect  from iPhone/iPad with inbuilt CISCO VPN client.

Remote Access VPN--> IKE Policies--> NAT-T

Regards

Balajirajah P B

0 Helpful

danhosking
Level 1
Level 1
In response to balajirajahpb

ā€Ž05-05-2011 07:05 PM

I have confirmation this is the answer -

- Apple reserve .local so anything on this domain won't resolve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents