VPN Tunnel with U-turn

Answered Question
Aug 25th, 2010
User Badges:

Hello,


I'm trying to understand how DNS works with U-turn. I'm looking into configuring VPN tunnel between ASA 5510 (main office) and PIX 506 (remote office).

Currently all workstations in remote office are connected thru VPN tunnel between PIX506 and VPN 3000 concentrator, so they use internal DNS server in main office. I need to use U-turn on ASA to enable remote users to surf the net. With U-turn config, will remote workstation still use DNS server in main office to resolve IP addresses?



thanks


lf

Correct Answer by Atri Basu about 6 years 10 months ago

Hey Forman,


SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.


In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.


I hope this explains the behaviour.


Regards,

Atri.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
forman102 Wed, 08/25/2010 - 08:28
User Badges:

Ok, thx. Is there a way to use other DNS servers (i.e. OpenDNS) for U turn traffic (web browsing) and use my internal DNS server for production traffic?

Jitendriya Athavale Wed, 08/25/2010 - 17:10
User Badges:
  • Cisco Employee,

well that i snot possible because your host does not know how the packet is going to the internet, for the host u turning vpn all this is transparent

forman102 Thu, 08/26/2010 - 10:22
User Badges:

Ok, I understand. How about the split tunnel? If I'd configure it so only interesting traffic pass thru VPN tunnel and web traffic "splits" at the PIX? How is DNS working in such configuration? Is there a way to use my internal DNS servers (behind ASA) for encrypted traffic and another DNS server for web traffic? I just want to make sure that all of the application will be working internally thru VPN and use external DNS for wen traffic.


thanks again

Correct Answer
Atri Basu Thu, 08/26/2010 - 11:01
User Badges:
  • Cisco Employee,

Hey Forman,


SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.


In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.


I hope this explains the behaviour.


Regards,

Atri.

Actions

This Discussion