Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
2
Replies

DNS not resolving after launching VPN client using split-DNS from branch office

meydenbauer
Level 1
Level 1

‎12-21-2016 11:25 PM - edited ‎03-12-2019 01:41 AM

We have a hub & spoke network where branch offices are connected to the corporate office via L2L VPN with ASA's on both sides. There are no Domain Controllers at the Branch offices so DHCP is configured on the ASA with the primary DNS server being an Internal DNS server in the corporate office and the secondary is a public DNS server in case the tunnel goes down. Everything seems to be working with this. The corporate ASA also hosts an SSL VPN for remote clients which is using split-tunneling and split-DNS and this works fine when clients connect from outside of the offices.

The problem we're having is if a client needs to launch AnyConnect from one of the branch offices. DNS resolution works for the internal DNS domains configured in the split-DNS but it won't resolve external domains. IP traffic gets routed properly and we can ping any address we need to by IP but we can't resolve DNS to those external domains.

The way things are configured a client in the branch has a primary DNS server located in the corporate network with the address of 10.1.2.3. When the client connects with AnyConnect, his DNS server for that connections would also be 10.1.2.3. With the VPN connected the 10.1.2.3 address would get routed over the SSL VPN. The split-DNS rule tells the client not to use the AnyConnect DNS server but instead use the DNS server attached to the physical network adapter ... it seems like a catch 22. How should I configure this to get external DNS to resolve from the branch offices?

Labels:
0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎12-22-2016 02:05 AM

In my opinion, the only way is to NAT the remote dns server on some dummy ip address and use that ip address for split dns. That way, the anyconnect client will be able to differentiate between the 2 dns servers. Kind of tricky, but should work. NAT needs to be done on the corporate office and split tunnel needs to be modified to send traffic for that dummy ip/network through tunnel.

HTH

-AJ

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee

‎12-24-2016 02:54 AM

NAT needs to be done on the corporate office and split tunnel needs to be modified to send traffic for that dummy ip/network through tunnel. This will avoid split brain scenario.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card