Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
6
Replies

VPN Tunnel with U-turn

Go to solution
forman102
Level 1
Level 1

‎08-25-2010 07:56 AM

Hello,

I'm trying to understand how DNS works with U-turn. I'm looking into configuring VPN tunnel between ASA 5510 (main office) and PIX 506 (remote office).

Currently all workstations in remote office are connected thru VPN tunnel between PIX506 and VPN 3000 concentrator, so they use internal DNS server in main office. I need to use U-turn on ASA to enable remote users to surf the net. With U-turn config, will remote workstation still use DNS server in main office to resolve IP addresses?

thanks

lf

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to forman102

‎08-26-2010 11:01 AM

Hey Forman,

SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.

In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.

I hope this explains the behaviour.


Regards,

Atri.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee

‎08-25-2010 08:19 AM

yes they would still use the same dns server

0 Helpful

Go to solution
forman102
Level 1
Level 1
In response to Jitendriya Athavale

‎08-25-2010 08:28 AM

Ok, thx. Is there a way to use other DNS servers (i.e. OpenDNS) for U turn traffic (web browsing) and use my internal DNS server for production traffic?

0 Helpful

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to forman102

‎08-25-2010 05:10 PM

well that i snot possible because your host does not know how the packet is going to the internet, for the host u turning vpn all this is transparent

0 Helpful

Go to solution
forman102
Level 1
Level 1
In response to Jitendriya Athavale

‎08-26-2010 10:22 AM

Ok, I understand. How about the split tunnel? If I'd configure it so only interesting traffic pass thru VPN tunnel and web traffic "splits" at the PIX? How is DNS working in such configuration? Is there a way to use my internal DNS servers (behind ASA) for encrypted traffic and another DNS server for web traffic? I just want to make sure that all of the application will be working internally thru VPN and use external DNS for wen traffic.

thanks again

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to forman102

‎08-26-2010 11:01 AM

Hey Forman,

SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.

In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.

I hope this explains the behaviour.


Regards,

Atri.

0 Helpful

Go to solution
forman102
Level 1
Level 1
In response to Atri Basu

‎08-26-2010 11:49 AM

Thanks Atri for explaining this.

forman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents