Problem with Split DNS

Home Forums Networking Cisco Security – PIX/ASA/VPN Problem with Split DNS

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Ok i’ll try to explain my best since English is my 2nd language

    1) I have a working ASA 5505, vpn connection with Split Tunnel, which means that my clients can connect at work and still access their local network
    2) Problem I have is that atm they need to conect (exemple on RDP) with the ip adress so
    3) I would like to be able to rdp using w7.domain.local instead of
    4) I heard about the split-tunnel value domain.local but the problem is that I need the VPN connection to add me a dns server adress and a search domain to be able to try to ping
    5) I added manually the dns server IP and the search domain name on my mac and it still doesn’t work)
    6) The most important part Since the local lan of the work office is 192.168.0.X and alot of people at home have 192.168.0.X we use Ip translation so to communicate exemple I write and I can access my PC at work

    TL:DR version

    I want my VPN connection to assign my VPN client this IP address and the search domain domain.local

    I want to be able to say from my VPN cleint ping w7.domain.local and that the Packet will pass threw the Cisco as 200.16 then converts back to 0.16 and access my PC

    Here is my Code, please note that i removed some confidential info, but the VPN connection is working ATM

    IF you have any questions feel free to ask

    ASA Version 8.2(1)
    terminal width 250
    hostname machine
    enable password G0n/46uG1zueNp0y encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    access-list inside-out extended permit tcp host any eq smtp
    access-list inside-out extended deny tcp any any eq smtp
    access-list inside-out extended permit ip any any
    access-list inside-out extended permit icmp any any
    access-list vpn-client-policy-nat extended permit ip
    access-list VPN-SPLIT-TUNNEL standard permit
    access-list 100 extended deny tcp eq smtp eq smtp
    access-list 100 extended permit ip
    access-list 100 extended permit icmp
    access-list 100 extended permit ip
    access-list 100 extended permit icmp
    access-list outbound extended permit tcp host any eq smtp
    access-list outbound extended permit tcp host any eq smtp
    access-list outbound extended deny tcp any any eq smtp
    access-list outbound extended permit ip any any
    pager lines 34
    logging enable
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool mobilepool mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1
    static (outside,inside) netmask
    static (inside,outside) access-list vpn-client-policy-nat
    access-group outbound in interface inside
    access-group outside-acl in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set mobileset
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
    crypto map mobilemap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh inside
    ssh inside
    ssh inside
    ssh inside
    ssh outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy mobilegroup internal
    group-policy mobilegroup attributes
    vpn-simultaneous-logins 50
    vpn-idle-timeout 2000
    vpn-session-timeout 2000
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    split-dns value domain.local
    group-policy mobile_policy internal
    group-policy mobile_policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    tunnel-group mobilegroup type remote-access
    tunnel-group mobilegroup general-attributes
    address-pool mobilepool
    default-group-policy mobile_policy
    tunnel-group mobilegroup ipsec-attributes
    pre-shared-key key
    class-map global-class
    match default-inspection-traffic
    class-map inspection
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.