Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EazyVPN on ASA5505 and split-dns

We have an ASA 5505 (Software Version 8.2(1)) configured as an Easy VPN Client, the other side (3000 Conncentrator) pushes a dns-server and some split domains onto the ASA.

Sadly split-dns is not working correctly, i.e it looks like our ASA sends all dns traffic down the tunnel.

Any ideas how to get rid of this behaviour?

2 REPLIES
Gold

Re: EazyVPN on ASA5505 and split-dns

..not without seeing your configs.

New Member

Re: EazyVPN on ASA5505 and split-dns

sadly i just can provide our site of the config:

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.45.250 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list ACL-OUTSIDE extended permit icmp any any

access-list ACL-OUTSIDE extended permit udp any any eq domain

access-list dnstraffic extended permit udp any any eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACL-OUTSIDE in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server ip.add.re.ss

vpnclient mode client-mode

vpnclient vpngroup secret password ********

vpnclient username supersecret password ********

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

307
Views
0
Helpful
2
Replies