Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Baffled...split-DNS via remote access

I don't know why the following config does not work when I'm trying to resolve or ping a host via it's name while remote access in. I'm currently running ASA 5520 8.2(5).

group-policy TEST internal
group-policy TEST attributes
 dns-server value x.x.200.64 x.x.200.41
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcL
 default-domain value Test.local
 split-dns value Test.local
 split-tunnel-all-dns enable

Cisco Employee

Hi Allele, Could you please

Hi Allele,


Could you please make sure that the ip address's that you defined as dns servers are also included in the split-tunnel acl i.e. VPN_splitTunnelAcL. If not then please include. Also split-tunnel-all-dns command is supported for SSL VPN clients. It is not supported in IPSec VPN clients so if you are using IPsec VPN client, you are not going to get any benefit of this command.

If it still does not work then try to do tunnel-all instead of using split tunnel and check if that fixes the issue or not.


Let me know if this helps.



New Member

Yes, the DNS servers are

Yes, the DNS servers are permitted.

access-list VPN_splitTunnelAcL standard permit x.x.200.0


Hmm, I had this working in 7.2(2) via the VPN client.

Cisco Employee

Could you please try with

Could you please try with tunnelall. just to understand the behavior of the device.


Also check if you are able to ping the dns servers when connected over VPN.



New Member

The tunnelall config works

The tunnelall config works BUT after doing so, I can't get out to the internet..can't resolve anything public.

New Member

Looks like I now have to NAT

Looks like I now have to NAT the traffic of the remote users to a public IP other than the one specified for the outside interface. I think this the correct solution. Let me know if it's not.

Cisco Employee

I think this will be a good

I think this will be a good option. Send all your traffic to the ASA and access internet using the public ip address of the ASA.


You can refer to this document for the same:



CreatePlease login to create content