08-23-2013 07:07 AM
Hi @ all.
I have a little Problem.
I have an ASA5510 with a static ip outside and some subinterfaces inside. There is a DNS Server inside (10.10.0.7 and 10.10.0.8).
Implemented and working is Cisco VPN Client and Any Connect with split Tunnel.
The VPN User connect and get access to two subinterfaces ... like data and voice - the DNS Server is at data-interface.
Split Tunnel is in function and they can access Internet.
Now the problem ... DNS inside is not working via VPN, but connectivity over IP is ok.
Monitoring says :
ping to domainname ... like ping blabla.blabla-bla.local ... no reply
6 | Aug 23 2013 | 15:40:27 | 302015 | 192.168.167.10 | 2490 | 10.10.0.8 | 53 | Built inbound UDP connection 59027 for outside:192.168.167.10/2490 (192.168.167.10/2490)(LOCAL\Username) to Data:10.10.0.8/53 (10.10.0.8/53) (Username) |
6 | Aug 23 2013 | 15:40:26 | 302015 | 192.168.167.10 | 2490 | 10.10.0.7 | 53 | Built inbound UDP connection 59026 for outside:192.168.167.10/2490 (192.168.167.10/2490)(LOCAL\Username) to Data:10.10.0.7/53 (10.10.0.7/53) (Username) |
and then ...
6 | Aug 23 2013 | 15:41:34 | 302016 | 192.168.167.10 | 22580 | 10.10.0.7 | 53 | Teardown UDP connection 59018 for outside:192.168.167.10/22580(LOCAL\Username) to Data:10.10.0.7/53 duration 0:02:08 bytes 160 (Username) |
6 | Aug 23 2013 | 15:41:34 | 302016 | 192.168.167.10 | 22580 | 10.10.0.8 | 53 | Teardown UDP connection 59019 for outside:192.168.167.10/22580(LOCAL\Username) to Data:10.10.0.8/53 duration 0:02:07 bytes 120 (Username) |
What can be the problem ?
Local ... there is no problem
08-24-2013 06:00 AM
If i try Any Connect a can access the internet too, and in ASA monitoring i get the messages...
6 | Aug 24 2013 | 14:36:18 | 302015 | 192.168.167.10 | 26540 | 10.10.0.7 | 53 | Built inbound UDP connection 4982 for outside:192.168.167.10/26540 (192.168.167.10/26540)(LOCAL\Username) to Data:10.10.0.7/53 (10.10.0.7/53) (Username) |
6 | Aug 24 2013 | 14:36:19 | 302015 | 192.168.167.10 | 26540 | 10.10.0.8 | 53 | Built inbound UDP connection 4983 for outside:192.168.167.10/26540 (192.168.167.10/26540)(LOCAL\Username) to Data:10.10.0.8/53 (10.10.0.8/53) (Username) |
6 | Aug 24 2013 | 14:36:25 | 110002 | 192.168.167.10 | 8351 | Failed to locate egress interface for UDP from outside:192.168.167.10/8351 to 239.255.255.250/3702 |
What can be the reason ?
When i go on ASAs CLI and make a ping to the internal domain name then is all ok.
It must be an configuration mistake on asa ... but what ?
I think its not split tunnel or split dns.
At the client i try a nslookup:
He is trying to find the Servername/IP-Address first at 10.10.0.7 (internal DNS-Server at ASA-Office)
and gets a time-out.
He is trying to find the Servername/IP-Address secon at 10.10.0.8 (internal DNS-Server at ASA-Office)
and gets a time-out.
And final he looks local and trys to lookup, but in fact that´s not a public domain, and so he cant´t find it.
Ping to the hostname is no problem if connected, but dns still not works.
08-25-2013 01:55 AM
Hi Michel,
Did you have the chance to do a packet capture on ASA vlan interface to see if ASA is forwarding the DNS queries or not?
Would it be possible for you to share ASA configuration? Please mention the tunnel-group you are connecting to.
Also collect "sh vpn-session-db detail anyconnect flter..
Thanks,
Santhosh
08-25-2013 09:35 AM
Result of the command: "sh run"
: Saved
:
ASA Version 8.4(5)
!
hostname ASA-Firmaxy
domain-name xy-xy.local
enable password xxxxxxx encrypted
passwd xxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxxxxxx 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.1
description Data
vlan 1
nameif Data
security-level 100
ip address 10.1.1.10 255.0.0.0
!
interface Ethernet0/3.410
description Voice
vlan 410
nameif Voice
security-level 100
ip address 172.16.0.1 255.255.254.0
!
interface Ethernet0/3.420
description Data Zukunft
shutdown
vlan 420
nameif Data-Zukunft
security-level 100
ip address 192.168.178.1 255.255.255.0
!
interface Ethernet0/3.421
description Guest
vlan 421
nameif Guest
security-level 20
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3.990
description Management WLC
vlan 990
nameif Management-WLC
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa845-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup Data
dns domain-lookup Voice
dns domain-lookup Data-Zukunft
dns domain-lookup Guest
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.10.0.7
name-server 10.10.0.8
name-server 194.25.0.52
domain-name xy-xy.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN-USER_NETWORK_192.168.167.0_24
subnet 192.168.167.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_23
subnet 172.16.0.0 255.255.254.0
object network DATA_NETWORK
subnet 10.0.0.0 255.0.0.0
description Data-Network_10.0.0.0/8
object network VPN-SERVICE-USER_NETWORK_192.168.166.0_27
subnet 192.168.166.0 255.255.255.224
object network VPN-Firmaxy-USER_NETWORK_192.168.167.0_24
subnet 192.168.167.0 255.255.255.0
object network VPN-Service_NETWORK_192.168.166.0_27
subnet 192.168.166.0 255.255.255.224
object network Voice_Network
subnet 172.16.0.0 255.255.254.0
description Voice_Network
object network ASA_DATA_INTERFACE
host 10.1.1.10
object network DATA_ZUKUNFT
subnet 172.168.178.0 255.255.255.0
description Data-Zukunft_Network_172.168.178.0/24
object network DNS-SERVER1_intern
host 10.10.0.7
description DNS-Server 10.10.0.7
object network DNS-SERVER2_intern
host 10.10.0.8
description DNS-Server 10.10.0.8
object network MANAGEMENT_WLC_NETWORK
subnet 192.168.100.0 255.255.255.0
description Management_WLC_Network_192.168.100.0/24
object network NETWORK_OBJ_192.168.167.0_25
subnet 192.168.167.0 255.255.255.128
object-group user DM_INLINE_USER_1
xxxxxxx
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq echo
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object DATA_NETWORK
network-object object Voice_Network
access-list outside_access_in extended permit ip object-group-user DM_INLINE_USER_1 any any
access-list Service2_splitTunnelAcl standard permit 172.16.0.0 255.255.254.0
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in_1 extended permit ip object VPN-Firmaxy-USER_NETWORK_192.168.167.0_24 any
access-list outside_access_in_1 extended permit ip object VPN-Service_NETWORK_192.168.166.0_27 any
access-list Mainservice_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list Firmaxy_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list Firmaxy_splitTunnelAcl standard permit 172.16.0.0 255.255.254.0
access-list Guest_access_in extended permit object-group TCPUDP any object DNS-SERVER1_intern eq domain
access-list Guest_access_in extended permit object-group TCPUDP any object DNS-SERVER2_intern eq domain
access-list Guest_access_in extended deny ip any object DATA_NETWORK
access-list Guest_access_in extended deny ip any object Voice_Network
access-list Guest_access_in extended deny ip any object DATA_ZUKUNFT
access-list Guest_access_in extended deny ip any object MANAGEMENT_WLC_NETWORK
access-list Guest_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Data 1500
mtu Voice 1500
mtu Data-Zukunft 1500
mtu Guest 1500
mtu Management-WLC 1500
mtu management 1500
ip local pool VPN 192.168.167.10-192.168.167.100 mask 255.255.255.0
ip local pool VPN_SERVICE 192.168.166.10-192.168.166.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Data
icmp permit any Voice
icmp permit any Data-Zukunft
icmp permit any Guest
icmp permit any management
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Data,outside) source dynamic any interface
nat (Guest,outside) source dynamic any interface
nat (Data,outside) source static DATA_NETWORK DATA_NETWORK destination static VPN-SERVICE-USER_NETWORK_192.168.166.0_27 VPN-SERVICE-USER_NETWORK_192.168.166.0_27 no-proxy-arp route-lookup
nat (Data,outside) source static DATA_NETWORK DATA_NETWORK destination static VPN-Firmaxy-USER_NETWORK_192.168.167.0_24 VPN-Firmaxy-USER_NETWORK_192.168.167.0_24 no-proxy-arp
nat (Data,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.167.0_25 NETWORK_OBJ_192.168.167.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside control-plane
access-group outside_access_in_1 in interface outside
access-group Guest_access_in in interface Guest
route outside 0.0.0.0 0.0.0.0 82.207.178.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.0.0.0 Data
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA-Firmaxy
keypair LOCAL-CA-SERVER
proxy-ldc-issuer
crl configure
crypto ca server
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxxxxx
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 Data
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
dhcpd address 192.168.99.100-192.168.99.200 Guest
dhcpd dns 10.10.0.7 194.25.0.52 interface Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.25.134.196 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_ANYCONNECT_Firmaxy-USER internal
group-policy GroupPolicy_ANYCONNECT_Firmaxy-USER attributes
wins-server none
dns-server value 10.10.0.7 10.10.0.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Firmaxy_splitTunnelAcl
default-domain value xy-xy.local
group-policy Service internal
group-policy Service attributes
dns-server value 10.10.0.7 10.10.0.8
vpn-tunnel-protocol ikev1
default-domain value xy-xy.local
group-policy GSP internal
group-policy GSP attributes
dns-server value 10.10.0.7 10.10.0.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Firmaxy_splitTunnelAcl
default-domain value xy-xy.local
service-type remote-access
tunnel-group Firmaxy type remote-access
tunnel-group Firmaxy general-attributes
address-pool VPN
default-group-policy Firmaxy
tunnel-group Firmaxy ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Service type remote-access
tunnel-group Service general-attributes
address-pool VPN_SERVICE
default-group-policy Service
tunnel-group Service ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ANYCONNECT_Firmaxy-USER type remote-access
tunnel-group ANYCONNECT_Firmaxy-USER general-attributes
address-pool VPN
default-group-policy GroupPolicy_ANYCONNECT_Firmaxy-USER
tunnel-group ANYCONNECT_Firmaxy-USER webvpn-attributes
group-alias ANYCONNECT_Firmaxy-USER enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end
The Company-Name was changed to xy or Firma xy, passwords xxx, outside-Address xxx
local : nslookup hoots.xy-xy.local --> 172.16.0.4 no problem
with VPN-remote : DNS Server first 10.10.0.7 , second 10.10.0.8 , then over local Router/ISP timeout
08-25-2013 09:44 AM
ASA-Firmaxy# sh vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : xxx Index : 1
Assigned IP : 192.168.167.10 Public IP : xxx
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : RC4 RC4 AES128 Hashing : SHA1 SHA1 SHA1
Bytes Tx : 11930 Bytes Rx : 3819
Pkts Tx : 14 Pkts Rx : 12
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_ANYCONNECT_Firmaxy-USER
Tunnel Group : ANYCONNECT_Firmaxy-USER
Login Time : 18:40:12 CEDT Sun Aug 25 2013
Duration : 0h:00m:13s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 1.1
Public IP : xxxxx
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : AnyConnect
Client Ver : AnyConnect Windows 2.5.2014
Bytes Tx : 11012 Bytes Rx : 3140
Pkts Tx : 13 Pkts Rx : 5
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 1.2
Assigned IP : 192.168.167.10 Public IP : xxx
Encryption : RC4 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 12075
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 2.5.2014
Bytes Tx : 918 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 1.3
Assigned IP : 192.168.167.10 Public IP : xxxx
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 12080
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client Type : DTLS VPN Client
Client Ver : AnyConnect Windows 2.5.2014
Bytes Tx : 0 Bytes Rx : 7012
Pkts Tx : 0 Pkts Rx : 23
Pkts Tx Drop : 0 Pkts Rx Drop : 0
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 16 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
08-26-2013 02:16 AM
OK - Problem selfsolved
At this time there is an other old router in LAN. And this router dont now the way to the Remote-VPN-User.
Added a route and somethings all right .
- closed -
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: