Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN Tunnel with U-turn

Hello,

I'm trying to understand how DNS works with U-turn. I'm looking into configuring VPN tunnel between ASA 5510 (main office) and PIX 506 (remote office).

Currently all workstations in remote office are connected thru VPN tunnel between PIX506 and VPN 3000 concentrator, so they use internal DNS server in main office. I need to use U-turn on ASA to enable remote users to surf the net. With U-turn config, will remote workstation still use DNS server in main office to resolve IP addresses?

thanks

lf

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Tunnel with U-turn

Hey Forman,

SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.

In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.

I hope this explains the behaviour.


Regards,

Atri.

6 REPLIES
Cisco Employee

Re: VPN Tunnel with U-turn

yes they would still use the same dns server

Community Member

Re: VPN Tunnel with U-turn

Ok, thx. Is there a way to use other DNS servers (i.e. OpenDNS) for U turn traffic (web browsing) and use my internal DNS server for production traffic?

Cisco Employee

Re: VPN Tunnel with U-turn

well that i snot possible because your host does not know how the packet is going to the internet, for the host u turning vpn all this is transparent

Community Member

Re: VPN Tunnel with U-turn

Ok, I understand. How about the split tunnel? If I'd configure it so only interesting traffic pass thru VPN tunnel and web traffic "splits" at the PIX? How is DNS working in such configuration? Is there a way to use my internal DNS servers (behind ASA) for encrypted traffic and another DNS server for web traffic? I just want to make sure that all of the application will be working internally thru VPN and use external DNS for wen traffic.

thanks again

Cisco Employee

Re: VPN Tunnel with U-turn

Hey Forman,

SplitDNS and Splittunneling are both used with remote access clients. In your case you are trying to configure a site-to-site VPN tunnel, so to "split" the traffic you will use the crypto acl to define interesting traffic for the VPN. This ACL however uses IP addresses to determine whether the traffic should be encrypted or not, hence your DNS lookup would have to happen before the traffic gets encrypted. So either you can define the DNS server for the remote network to be the DNS across the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is capable of resolving the names.

In the previous case where you are using U-Turning, everything automatically gets tunneled so you don't need to worry about your DNS requests being tunneled.

I hope this explains the behaviour.


Regards,

Atri.

Community Member

Re: VPN Tunnel with U-turn

Thanks Atri for explaining this.

forman

350
Views
0
Helpful
6
Replies
CreatePlease to create content