Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect VPN unable to resolve using public DNS servers

Hi,

 

We have ASA running 9.1 and using Anyconnect VPN. We have internal DNS servers configured in VPN profile and that works fine for nslookup resolution

If i try using 8.8.8.8 or any other public DNS servers or DNS server of other Datacenter, it is not able to resolve using nslookup. I am able to ping the DNS servers well.

We have split tunnel disabled

 

Thanks

 

7 REPLIES
Hall of Fame Super Silver

Are you allowing hairpinning

Are you allowing hairpinning of the traffic from your VPN clients and configuring NAT accordingly?

New Member

Yes, i have hairpinning and

Yes, i have hairpinning and nat to allow vpn clients to access internet and that is working fine

 

 

Hall of Fame Super Silver

OK, the next two things I

OK, the next two things I would check would be if a DNS inspection rule is dropping the packets and what packet-tracer reports. Something like

packet-tracer input outside udp <address of a vpn client> 1025 8.8.8.8 53

New Member

Ok, this is what i am getting

Ok, this is what i am getting in pakcet tracer

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         UNTRUST

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: UNTRUST
input-status: up
input-line-status: up
output-interface: UNTRUST
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

New Member

also, DNS inspection is not

also, DNS inspection is not enabled

Hall of Fame Super Silver

It looks like you're hitting

It looks like you're hitting the implicit deny on your outside interface ACL. Odd how non-DNS traffic seems to be working though.

You might try "sysopt connection permit-vpn" and/or "same-security-traffic permit intra-interface" if those aren't already in place.

New Member

both those commands are

both those commands are already in place and i am able to ping those DNS servers. Only DNS resolution doesnt happen using those public DNS server

Shall i enable DNS inspect?

 

146
Views
0
Helpful
7
Replies