Announcement

Collapse
No announcement yet.

Problem with Split DNS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with Split DNS

    Ok i'll try to explain my best since English is my 2nd language

    1) I have a working ASA 5505, vpn connection with Split Tunnel, which means that my clients can connect at work and still access their local network
    2) Problem I have is that atm they need to conect (exemple on RDP) with the ip adress so 192.168.0.16
    3) I would like to be able to rdp using w7.domain.local instead of 192.168.0.16
    4) I heard about the split-tunnel value domain.local but the problem is that I need the VPN connection to add me a dns server adress and a search domain to be able to try to ping
    5) I added manually the dns server IP and the search domain name on my mac and it still doesn't work)
    6) The most important part Since the local lan of the work office is 192.168.0.X and alot of people at home have 192.168.0.X we use Ip translation so to communicate exemple 192.168.0.16 I write 192.168.200.16 and I can access my PC at work

    TLR version

    I want my VPN connection to assign my VPN client this IP address 192.168.200.14 and the search domain domain.local

    I want to be able to say from my VPN cleint ping w7.domain.local and that the Packet will pass threw the Cisco as 200.16 then converts back to 0.16 and access my PC

    Here is my Code, please note that i removed some confidential info, but the VPN connection is working ATM

    IF you have any questions feel free to ask


    ASA Version 8.2(1)
    !
    terminal width 250
    hostname machine
    enable password G0n/46uG1zueNp0y encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    access-list inside-out extended permit tcp host 192.168.0.2 any eq smtp
    access-list inside-out extended deny tcp any any eq smtp
    access-list inside-out extended permit ip any any
    access-list inside-out extended permit icmp any any
    access-list vpn-client-policy-nat extended permit ip 192.168.0.0 255.255.255.0 10.250.132.0 255.255.255.0
    access-list VPN-SPLIT-TUNNEL standard permit 192.168.200.0 255.255.255.0
    access-list 100 extended deny tcp 10.250.132.0 255.255.255.0 eq smtp 192.168.200.0 255.255.255.0 eq smtp
    access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit ip 10.250.132.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list 100 extended permit icmp 10.250.132.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list outbound extended permit tcp host 192.168.0.2 any eq smtp
    access-list outbound extended permit tcp host 192.168.0.10 any eq smtp
    access-list outbound extended deny tcp any any eq smtp
    access-list outbound extended permit ip any any
    pager lines 34
    logging enable
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool mobilepool 10.250.132.100-10.250.132.130 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (outside,inside) 192.168.200.0 192.168.0.0 netmask 255.255.255.0
    static (inside,outside) 192.168.200.0 access-list vpn-client-policy-nat
    access-group outbound in interface inside
    access-group outside-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 24.37.96.137 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mobileset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set mobileset
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mobilemap 1 ipsec-isakmp dynamic dyn1
    crypto map mobilemap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh 10.0.128.0 255.255.255.0 inside
    ssh 10.250.132.0 255.255.255.0 inside
    ssh 192.168.0.0 255.255.0.0 inside
    ssh 192.168.0.0 255.255.255.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside
    !


    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy mobilegroup internal
    group-policy mobilegroup attributes
    vpn-simultaneous-logins 50
    vpn-idle-timeout 2000
    vpn-session-timeout 2000
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    split-dns value domain.local
    group-policy mobile_policy internal
    group-policy mobile_policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN-SPLIT-TUNNEL
    tunnel-group mobilegroup type remote-access
    tunnel-group mobilegroup general-attributes
    address-pool mobilepool
    default-group-policy mobile_policy
    tunnel-group mobilegroup ipsec-attributes
    pre-shared-key key
    !
    class-map global-class
    match default-inspection-traffic
    class-map inspection
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8483359024d4bec86c077bb9dbbcd324
    : end
Working...
X