+ Reply to Thread
Results 1 to 8 of 8

Thread: Split DNS question     submit to reddit submit to twitter

  1. #1
    BG's most likeable Québécois
    Pens win! Pens Win!!! PENS WIN!!!!!

    Join Date
    Sep 2007
    Posts
    37,802
    BG Level
    10

    Split DNS question

    Will make a new post this afternoon

  2. #2
    2600klub
    I donated 5 bucks and all I got was this shitty title from Zet

    Join Date
    Jun 2007
    Posts
    2,690
    BG Level
    7
    FFXI Server
    Ragnarok

    You seem to write some of the most confusing posts ever, congrats.

  3. #3
    BG's most likeable Québécois
    Pens win! Pens Win!!! PENS WIN!!!!!

    Join Date
    Sep 2007
    Posts
    37,802
    BG Level
    10

    Yeah i'll rewrite one slowly later today and repost it sorry

  4. #4
    BG's most likeable Québécois
    Pens win! Pens Win!!! PENS WIN!!!!!

    Join Date
    Sep 2007
    Posts
    37,802
    BG Level
    10

    Ok i just simpled my config

    1) I have a MBP connected to a router (with allow all), that router is connected to my Cisco ASA 5505 in the wan interface and the lan interface of the ASA5505 is connected to a switch which has a PC (192.168.0.16) and a DNS server (192.168.0.14)

    My MBP can connect to the VPN NP and can access the DNS Server (ping and SSH) and the windows machine (PING and RDP)

    What I want is to be able t oaccess them with the FQDN exemple ping dns.domain.local and rdp pc.domain.local (Inside the lan the DNS works flawlessly but not on the VPN

    HEre is my config

    ASA Version 8.2(1)
    !
    terminal width 250
    hostname domain
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    access-list inside-out extended permit tcp host 192.168.0.2 any eq smtp
    access-list inside-out extended deny tcp any any eq smtp
    access-list inside-out extended permit ip any any
    access-list inside-out extended permit icmp any any
    access-list vpn-client-policy-nat extended permit ip 192.168.0.0 255.255.255.0 10.250.132.0 255.255.255.0
    access-list VPN-SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0
    access-list 100 extended deny tcp 10.250.132.0 255.255.255.0 eq smtp 192.168.0.0 255.255.255.0 eq smtp
    access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list outbound extended permit tcp host 192.168.0.2 any eq smtp
    access-list outbound extended permit tcp host 192.168.0.10 any eq smtp
    access-list outbound extended deny tcp any any eq smtp
    access-list outbound extended permit ip any any
    pager lines 34
    logging enable
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool mobilepool 10.250.132.100-10.250.132.130 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outbound in interface inside
    access-group outside-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 24.37.96.137 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set mobileset
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
    crypto map mobilemap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh 10.0.128.0 255.255.255.0 inside
    ssh 10.250.132.0 255.255.255.0 inside
    ssh 192.168.0.0 255.255.0.0 inside
    ssh 192.168.0.0 255.255.255.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy mobilegroup internal
    group-policy mobilegroup attributes
    vpn-simultaneous-logins 50
    vpn-idle-timeout 2000
    vpn-session-timeout 2000
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    dns-server value 192.168.0.4
    default-domain value domain.local
    split-dns value domain.local
    group-policy mobile_policy internal
    group-policy mobile_policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    tunnel-group mobilegroup type remote-access
    tunnel-group mobilegroup general-attributes
    address-pool mobilepool
    default-group-policy mobile_policy
    tunnel-group mobilegroup ipsec-attributes
    pre-shared-key password
    !
    class-map global-class
    match default-inspection-traffic
    class-map inspection
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8483359024d4bec86c077bb9dbbcd324
    : end
    For this config i removed some confidential info, but all the info for the VPN is still there

    1 of my problem is the fact that when i'm connected to the VPN I cannot get a DNS server and search domain automaticly




    If I manually add my DNS server and my search domain there, i still cannot ping the FQDN

    Can anyone tell me what i'm doing wrong?


    (Hope this is better formatted )

  5. #5
    Relic Shield
    Join Date
    Oct 2006
    Posts
    1,921
    BG Level
    6
    FFXI Server
    Phoenix

    What DHCP options do you have configured for the VPN pool? Is it handing out the DNS information for your corp network?

    Edit: Nevermind, I'm going through your config now. Does the 192.168.0.4 show in ipconfig for your dns server?

    a DNS server (192.168.0.14)

    dns-server value 192.168.0.4 ?

    VPN's and SANs are my weakest areas of experience.

  6. #6
    BG's most likeable Québécois
    Pens win! Pens Win!!! PENS WIN!!!!!

    Join Date
    Sep 2007
    Posts
    37,802
    BG Level
    10

    I made another typo DNs server is 0.14 but still not working ingot some info from Cisco forums that ill try this week

  7. #7
    Relic Shield
    Join Date
    Oct 2006
    Posts
    1,921
    BG Level
    6
    FFXI Server
    Phoenix

    Cool. Let me know how it goes.

  8. #8
    BG's most likeable Québécois
    Pens win! Pens Win!!! PENS WIN!!!!!

    Join Date
    Sep 2007
    Posts
    37,802
    BG Level
    10

    Yay problem solved, ust need to fix the side at work which is more complicated lol but still a good way done!