Hello there, thank you very much for your reply, I really appreciate this.

The VPN clients  are getting their IP address from 192.168.30.x subnet which is provided by our Windows Server.

The problem is the vpn clients have the following private ip address they get from their home router of 192.168.1.x registers to our DNS server, which cause duplicate A records pointing to the same IP address.

One solution I've thought of is throwing all VPN users computer account into an OU and applying a GPO that restricts them from updating to the DNS server, but the problem with this, is it ultimately prohibits them from registering their hostname inti the DNS, and will result in manually updating their records.

I  have attached a screenshot, of ipconfig /all for one of the vpn client.

Is there anyway I can apply a "rule" to VPN clients from ever updating to the DNS server? I can do this with GPO, but not sure if I can do it with Cisco VPN 3000.

Thank You!!!

I think what they are suggesting as a workaround would be to redefine the address

range you assign to VPN clients as a workaround.  Some obsure class C subnet

of 10.x.x.x might work; something that nobody is likely to pick for their home

configuration.

Than make sure the DHCP server rejects dyndns requests for the common

home network ranges, which it may do automatically.

Not elegant, I'd agree.  I'd suggest a filter list, which might be possible

if the clients send unicast packets after the initial allocation and none of them

are needed for anything you do there.

Thank you for the reply, I went ahead and disable dynamic update on DNS after deleting duplicate entries, but again VPN client started registering their hostname A record into the corporate/internal DNS server, it is more likely that the DDNS feature only works for newly assigned IP address in the DHCP.

In the case of the VPN clients their home router assigns their IP Address, and the network treats it locally, I've attached a screenshot.

You mentioned something about a filtering UDP packets, do you have a link or instructions on how to accomplish this?

I have also thought about creating a query base WMI GPO.

Thank you!

You can either specify a default filter ruleset, or specify multiple rulesets and have AAA pick one by name, or (not sure on vpn3000) specify the filter rules on the RADIUS side using a custom text string attribute.

docs here

It is a straightforward per-client inbound access list at the tunnel end.  Remember to permit initial DHCP broadcast traffic for split-tunnel route downloads via DHCP-intercept if you are using them, then deny followup unicasts to kill the DDNS, assuming that the clients use unicast (never had to do dyndns so I don't know.)

Minus some details:

access-list default-filter remark Allow DHCP-intercept route downloads

access-list default-filter permit ip object-group default-vpn-pool eq bootpc host 255.255.255.255 eq bootps

access-list default-filter deny ip object-group default-vpn-pool object-group dyndns

access-list default-filter permit ip object-group default-vpn-pool object-group default-vpn-allowed-destinations

access-list default-filter deny ip any any

Then:

group-policy DfltGrpPolicy attributes

  vpn-filter value default-filter

Thank you very much Julian, this is more likely the solution that I've been looking for, althought the problem I have is that I am not aware how to create rules on VPN 3000, this concentrator is connected to a CISCO firewall, so I also might consider putting this rules in there, or wait until we cut--over to our ASA.

In the meanwhile I created a filter based GPO targeting those computer accounts registering to the DNS server.