Cisco PIX 506 and split-dns command

Discussion in 'Cisco' started by Grunteled, Jun 8, 2005.

  1. Grunteled

    Grunteled Guest

    I'm working with a PIX 506 to setup VPN from an office location to my
    home network. The PIX is at my home and I'm using the Cisco VPN client
    on an XP workstation.

    My problem is thus:

    I can get a split tunnel working and get connected. Everything works
    great. Too great. In spite of the command:

    vpngroup foo address-pool vpn-address-3
    vpngroup foo dns-server helios titan
    vpngroup foo wins-server helios
    vpngroup foo split-tunnel foo_splitTunnelAcl
    vpngroup foo split-dns foo.net foo.org
    vpngroup foo idle-time 1800
    vpngroup foo password ********


    The tunnel is swallowing ALL dns requests. Obviously the clients are
    getting DNS settings from the vpngroup and after a connection is made
    all requests go to those servers. This isn't going to work. I need to
    also be able to resolve DNS names from the client side network and
    connect to them. Right now I can't do that since the internal DNS on
    the client side is not public. And the VPN side has no way to
    replicate these entries, nor would I want to.

    Are there any tricks i'm missing to get the Cisco client to only send
    requests for "foo.net" and "foo.org" down the tunnel and send the rest
    in the clear to the local DNS on the client side?
     
    Grunteled, Jun 8, 2005
    #1
    1. Advertising

  2. "Grunteled" <> wrote:

    > vpngroup foo dns-server helios titan
    >
    > The tunnel is swallowing ALL dns requests. Obviously the clients are
    > getting DNS settings from the vpngroup and after a connection is made
    > all requests go to those servers. This isn't going to work. I need
    > to also be able to resolve DNS names from the client side network and
    > connect to them. Right now I can't do that since the internal DNS on
    > the client side is not public. And the VPN side has no way to
    > replicate these entries, nor would I want to.
    >
    > Are there any tricks i'm missing to get the Cisco client to only send
    > requests for "foo.net" and "foo.org" down the tunnel and send the
    > rest in the clear to the local DNS on the client side?


    I'm afraid there isn't much you can do. If you define

    vpngroup dns-server X [Y]

    then all DNS requests are destinated to it/them when you have
    opened a VPN connection. However I'm not sure if this is
    strictly a VPN client problem because I made a quick check and
    couldn't figure out how you can set up Windows to ask DNS
    information for domain X from server Y (I'm using Windows 2000
    Server). Can you do it?
    If this feature is not implemented into the underlying OS then
    there's no way that the VPN client could override it.
     
    Jyri Korhonen, Jun 8, 2005
    #2
    1. Advertising

  3. Grunteled

    Grunteled Guest

    I'm pretty sure is is *possible*. My old SHIVA vpn client would do it.
    I'm also pretty sure it works in the 3000 concentrators. I just found
    it odd that the command does nothing even though the log on the VPN
    client says that it's enabled and gets the correct settings.

    This can't be a new thing that Cisco never imagined people would need.
     
    Grunteled, Jun 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. emuthu
    Replies:
    0
    Views:
    459
    emuthu
    Jan 21, 2004
  2. Javier Villegas
    Replies:
    1
    Views:
    539
    Walter Roberson
    Jan 27, 2004
  3. Replies:
    0
    Views:
    560
  4. Chris
    Replies:
    0
    Views:
    432
    Chris
    Oct 18, 2006
  5. Dumbell

    a split is not a split

    Dumbell, Mar 9, 2009, in forum: Computer Support
    Replies:
    3
    Views:
    640
    Keyser Söze
    Mar 9, 2009
Loading...

Share This Page