PIX 515 - VPN with Split-DNS & Split-tunneling

[Dragon69]

I'm running a PIX 515 with a VPN solution. My clients connect fine through both PPTP and IPSEC (3DES). Split tunneling is working fine - that is, they are able to get to things on the corporate network, as well as free reign to their internet access via their ISP. My problem is that we have a intranet/internet website with a page on it that is restricted to corporate employees only. The idea was that allowing them to VPN in would give them access to this website since access to it is controlled by subnet. Wrong! Since it pulls it's DNS info from the ISP site, it gets the public adaptor address and is denied access to the restricted page.

So after reading a lot of documentation, I detirmined that Split-DNS is probably the way to solve the problem, as this would give the ip of the internal adaptor to the intranet/internet site as opposed to the public adaptor IP. Unfortunately, I'm not finding much documentation on the EXACT syntax of the command. Is it entered as:

vpngroup test split-dns domainone.com,domaintwo.com

or

vpngroup test split-dns *.domainone.com,*.domaintwo.com

etc., etc. I have tried several combinations of these and each time, my ping result returns the outside adaptor address. Hope you might have some specifics on the subject!

Allan

 

[Dragon69]

By the way, we ARE running an internal and an external dns. The web server is on the DMZ and an alias is created on the pix for it from the inside. (i.e. - outside = 207.50.20.22 aliased to inside = 172.22.20.22).

 

[yizhar]

HI.

I never tried this split-dns option before, but here are some things to consider:

The client has a local DNS cache, so if the cache is populated with the external address of your domain, the client will not generate DNS request until you reboot it.

The alias command probably does not apply to VPN clients on the outside interface.

I would try first to simply configure/instruct the remote users to use ip address instead of FQDN if applicable, or use something like

http://servername

.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Dragon69]

This is true. I flushed the local cache using the ipconfig /flushdns command and tried it again with no affect. The user CAN access the server via IP address, but DNS seems to issue out the true interface address (outside address) rather than the internal aliased address. We have a dns entry in the internal DNS reflecting an internal ip, but even querying directly against that DNS server using NSLookup returns the outside interface IP address. I've already lost half my hair on this one, and the other half is quickly turning gray. Let me know if anyone has an idea or needs more info!

 

[yizhar]

HI.

> but even querying directly against that DNS server using NSLookup returns the outside interface IP
Maybe the alias command is working in both directions?
Try to remove it from the config and see what happens.
You don't need alias if you properly configure internal DNS and all internal hosts use the internal DNS server.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Dragon69]

Removing the Alias command and all references in the IDNS to the aliased IP seems to get us a little closer. I can get to the website internally and externally, but once I connect to the VPN server via IPSEC using Cisco Secure Client, I can no longer hit the website. I have an access-list command that is supposed to route that traffic through the VPN, but it's getting caught up somewhere. Here is the command:

access-list acl_nonat_ipsec permit ip 207.XX.XX.0 255.255.255.0 172.22.33.0 255.255.255.0

This address also properly reflects in the Cisco Client Routing Table.

 

[yizhar]

HI.

Posting your current pix config will help here.

> ... using Cisco Secure Client, I can no longer hit the website ...
Using ip address? Which one (the external or internal ip of the server)?
Using FQDN? What IP does the name resolve to now at the client?

Any related syslog messages at the pix?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Dragon69]

The server only had one ip address to start with, which was an external one. My supervisor had wanted an Alias command on the PIX which gives it a virtual internal address (I don't know why he wanted it that way). As I said above, I had removed the alias command and relevant DNS entries so that only the one address remained. I was able to get to the web server using the IP or FQDN both internally and externally. The IP also resolved to the right address both internally and externally. I ran a 'logging history 4' at the console and was able to see the traffic to the IPSEC client. My connection was getting through to the webserver, but webserver response back to the IPSEC client was being denied. I do not have the exact error message at this time, but I will try to capture it again and post it here with the config later today.

 

[yawnbob]

I been having some similar problems with the Cisco VPN client (3.6.3A) regarding split-dns. It hasn't concerned me too much because I have a Nortel Contivity box and the Nortel VPN client works really well However, it does bother me that I've had so many issues with the Cisco VPN client and I will eventually be using it on a remote customer site. Today I looked at Cisco's site and discovered that they've released 3.6.3B. I downloaded it and it solves almost all my split-dns issues that I was having with "A".

 

[volunteer]

Perhaps I am simplifying this too much. I have a vpngroup setup with the DNS of the inside network:

vpngroup acme dns-server xxx.xxx.xxx.xxx

This resolves the ip addresses in the DMZ as the inside addresses.

I have other issues about actually accessing the DMZ however.

 

[RickyTicky]

Has anyone found out how to resolve this issue as yet?

 

[ilurec]

RickyTicky,

Not sure if you got your answer on this one, but we use split-tunneling with our vpn clients and have no issues. Here is the command:

vpngroup {vpn gropup name} split-dns domain1.com domain2.com domain3.com domain4.com

Hope this helps and good luck!

ilurec

 

[bwilliam13]

And you have a DNS server specified for that vpngroup?

Example:

vpngroup (groupname) dns-server (ip of dns server on inside)

As far as I know, you have to use the alias. There's no way to route Cisco VPN clients going into a PIX to the DMZ. You have to redirect all the DMZ packets to aliases on the internal interface. Don't ask me why this is...but I've been trying to solve this same problem for the last 2 weeks. The only thing that works for us is the alias solution.

 

[EddieVenus]

I know that you are doing this to get split tunneling to work, but originally you were doing this to make the users get to the web site from the right address.

Why not just build a simple HOSTS file and push it to everyones machine who needs to access the site from a different IP. What I mean is why not make the HOSTS file, which is a local DNS cache in essence. Put that file in a a zip file with a small batch file, send that to every user who needs the adjusted IP reolution in an email. And then have them run it, installing the file to the windows\system32\drivers\etc dir. You could push it to them with the right shares and permissions if you are on NT\2K\XP too, and save all this trouble with split DNS.

I tried split DNS, it worked for some basic stuff, but something like this seems like the wrong place for this approach. If you get split DNS to work, great, more power to you. Please share as we would all like to know how to do it, but if not a simple HOSTS file will get the job done and still have you freed up for a new project by lunch time.

Eddie Venus

 

[bwilliam13]

Have you specified the default-domain setting for the vpngroup? That will do it. We have the default-domain setting in our config for companydomain1.com. If I VPN in, request

http://www.companydomain1.com,

it hits my company's internal dns server first, the dns server returns the internal address as the reply, and the web page loads up.

If I request anything else, like

http://www.yahoo.com,

it sends the request to my ISP's dns server and finds that address correctly, and loads it correctly.