Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 506 and split-dns command

Reply
Thread Tools

Cisco PIX 506 and split-dns command

 
 
Grunteled
Guest
Posts: n/a
 
      06-08-2005
I'm working with a PIX 506 to setup VPN from an office location to my
home network. The PIX is at my home and I'm using the Cisco VPN client
on an XP workstation.

My problem is thus:

I can get a split tunnel working and get connected. Everything works
great. Too great. In spite of the command:

vpngroup foo address-pool vpn-address-3
vpngroup foo dns-server helios titan
vpngroup foo wins-server helios
vpngroup foo split-tunnel foo_splitTunnelAcl
vpngroup foo split-dns foo.net foo.org
vpngroup foo idle-time 1800
vpngroup foo password ********


The tunnel is swallowing ALL dns requests. Obviously the clients are
getting DNS settings from the vpngroup and after a connection is made
all requests go to those servers. This isn't going to work. I need to
also be able to resolve DNS names from the client side network and
connect to them. Right now I can't do that since the internal DNS on
the client side is not public. And the VPN side has no way to
replicate these entries, nor would I want to.

Are there any tricks i'm missing to get the Cisco client to only send
requests for "foo.net" and "foo.org" down the tunnel and send the rest
in the clear to the local DNS on the client side?

 
Reply With Quote
 
 
 
 
Jyri Korhonen
Guest
Posts: n/a
 
      06-08-2005
"Grunteled" <(E-Mail Removed)> wrote:

> vpngroup foo dns-server helios titan
>
> The tunnel is swallowing ALL dns requests. Obviously the clients are
> getting DNS settings from the vpngroup and after a connection is made
> all requests go to those servers. This isn't going to work. I need
> to also be able to resolve DNS names from the client side network and
> connect to them. Right now I can't do that since the internal DNS on
> the client side is not public. And the VPN side has no way to
> replicate these entries, nor would I want to.
>
> Are there any tricks i'm missing to get the Cisco client to only send
> requests for "foo.net" and "foo.org" down the tunnel and send the
> rest in the clear to the local DNS on the client side?


I'm afraid there isn't much you can do. If you define

vpngroup dns-server X [Y]

then all DNS requests are destinated to it/them when you have
opened a VPN connection. However I'm not sure if this is
strictly a VPN client problem because I made a quick check and
couldn't figure out how you can set up Windows to ask DNS
information for domain X from server Y (I'm using Windows 2000
Server). Can you do it?
If this feature is not implemented into the underlying OS then
there's no way that the VPN client could override it.

 
Reply With Quote
 
 
 
 
Grunteled
Guest
Posts: n/a
 
      06-09-2005
I'm pretty sure is is *possible*. My old SHIVA vpn client would do it.
I'm also pretty sure it works in the 3000 concentrators. I just found
it odd that the command does nothing even though the log on the VPN
client says that it's enabled and gets the correct settings.

This can't be a new thing that Cisco never imagined people would need.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 to pix 506 easy vpn fredrikmagnil@hotmail.com Cisco 3 05-22-2006 06:42 AM
Cisco PIX 506 and logging traffic events bpeterson@silvertree.net Cisco 0 09-18-2005 03:32 PM
New Cisco Pix 506 for sale Terence Lee Cisco 2 02-07-2004 08:01 PM
VPN Site-to-Site with PIX 506 and PIX 515UR (6.3.1). How ? Javier Villegas Cisco 1 01-27-2004 07:29 PM
SBS 2000 and CISCO PIX 506 Firewall emuthu Cisco 0 01-21-2004 02:08 PM



Advertisments