DNS & Cisco VPN

Andy100 · 23 Apr 2009 at 22:29

Bit of a long running one at work this one...

When staff connect remotely to the company network they use the Cisco VPN client. This works just spiffy as long as their network share and internal shortcuts point to IP's rather than FQDN's.

I could just about live with this up until now but some staff want to use Outlook 2007 for their mail rather than OWA and it automatically converts the exchange server IP to a FQDN in the setup process.

Is this normal for Cisco VPN software or have I set it up wrong/missed a trick?

Is there a way to configure the machines to use the work DNS servers when they're connected via vpn?

brainchylde · 23 Apr 2009 at 23:05

Yes. We have this set up (PIX Firewall). In fact they should be able to use

"yourserver" - not "yourserver.yourdomain.com"

I don't know enough about configuring these things to help you unfortunately - but yes, it is possible. (I assume you are using PIX)

Andy100 · 23 Apr 2009 at 23:24

It's a Cisco ASA5510

brainchylde · 24 Apr 2009 at 00:49

Could you post your config?

You will need to make sure the appliance is aware of your internal DNS and WINS.

Code:

vpdn group 1 client configuration dns <dns server ip>
vpdn group 1 client configuration wins <wins server ip>

Curiosityx · 27 Apr 2009 at 23:35

Andy100 said:
It's a Cisco ASA5510

Yes this is easily achieved, it can be set under the group policy attributes for the VPN Client Group.

Code:

group-policy **GPO Name** internal
group-policy **GPO Name** attributes
 wins-server value **IP Address of Wins Server**
 dns-server value **IP Address of DNS Server**
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value **Split Tunnel ACL if required**

If you arnt overly familiar with the CLI the ASDM will do it with ease.

RSR · 28 Apr 2009 at 13:40

Curiosityx said:
Yes this is easily achieved, it can be set under the group policy attributes for the VPN Client Group.

Code:

group-policy **GPO Name** internal group-policy **GPO Name** attributes wins-server value **IP Address of Wins Server** dns-server value **IP Address of DNS Server** vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value **Split Tunnel ACL if required**

If you arnt overly familiar with the CLI the ASDM will do it with ease.

Agreed.

Ive set this up on a ASA5540 with out any problems.

Andy

Skidilliplop · 28 Apr 2009 at 14:27

As above, make sure the VPN clients are issued with AD DNS/WINS servers. Also any restrictions on these servers should permit access to the pool of addresses/subnet assigned to VPN clients. Depending on what they're doing over VPN it may also be worth adding the subnet in AD if it's not there already.