Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with Split DNS

Ok i'll try to explain my best since English is my 2nd language

1) I have a working ASA 5505, vpn connection with Split Tunnel, which means that my clients can connect  at work and still access their local network

2) Problem I have is that atm they need to conect (exemple on RDP) with  the ip adress so

3) I would like to be able to rdp using  w7.domain.local instead of

4) I heard about the split-tunnel value domain.local but the problem is that  I need the VPN connection to add me a dns server adress and a search domain to be able to try to ping

5) I added manually the dns server IP and the search domain name on my mac and it still doesn't work)

6) The most important part  Since the local lan of the work office is 192.168.0.X and alot of people at home have 192.168.0.X we use Ip translation so to communicate exemple   I write and I can access my PC at work

TL:DR version

I want my VPN connection to assign my VPN client this IP address and the search domain domain.local

I want to be able to say from my VPN cleint ping w7.domain.local and that the Packet will pass threw the  Cisco as 200.16 then converts back to 0.16 and access my PC

Here is my Code, please note that i removed some confidential info, but the VPN connection is working ATM

IF you have any questions feel free to ask

ASA Version 8.2(1)


terminal width 250

hostname machine

enable password G0n/46uG1zueNp0y encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa821-k8.bin

ftp mode passive

access-list inside-out extended permit tcp host any eq smtp

access-list inside-out extended deny tcp any any eq smtp

access-list inside-out extended permit ip any any

access-list inside-out extended permit icmp any any

access-list vpn-client-policy-nat extended permit ip

access-list VPN-SPLIT-TUNNEL standard permit

access-list 100 extended deny tcp eq smtp eq smtp

access-list 100 extended permit ip

access-list 100 extended permit icmp

access-list 100 extended permit ip

access-list 100 extended permit icmp

access-list outbound extended permit tcp host any eq smtp

access-list outbound extended permit tcp host any eq smtp

access-list outbound extended deny tcp any any eq smtp

access-list outbound extended permit ip any any

pager lines 34

logging enable

logging timestamp

logging buffered debugging

logging trap debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool mobilepool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (outside,inside) netmask

static (inside,outside)  access-list vpn-client-policy-nat

access-group outbound in interface inside

access-group outside-acl in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set mobileset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set mobileset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mobilemap 1 ipsec-isakmp dynamic dyn1

crypto map mobilemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh inside

ssh inside

ssh inside

ssh inside

ssh outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy mobilegroup internal

group-policy mobilegroup attributes

vpn-simultaneous-logins 50

vpn-idle-timeout 2000

vpn-session-timeout 2000

split-tunnel-network-list value VPN-SPLIT-TUNNEL

split-dns value domain.local

group-policy mobile_policy internal

group-policy mobile_policy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT-TUNNEL

tunnel-group mobilegroup type remote-access

tunnel-group mobilegroup general-attributes

address-pool mobilepool

default-group-policy mobile_policy

tunnel-group mobilegroup ipsec-attributes

pre-shared-key key


class-map global-class

match default-inspection-traffic

class-map inspection

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

  • VPN