Cisco PIX 506 and split-dns command

Cisco PIX 506 and split-dns command: Posted by Grunteled on June 8th, 2005; I'm working with a PIX 506 to setup VPN from an office location to my
home network. The PIX is at my home and I'm using the Cisco VPN client
on an XP workstation.

My problem is thus:

I can get a split tunnel working and get connected. Everything works
great. Too great. In spite of the command:

vpngroup foo address-pool vpn-address-3
vpngroup foo dns-server helios titan
vpngroup foo wins-server helios
vpngroup foo split-tunnel foo_splitTunnelAcl
vpngroup foo split-dns foo.net foo.org
vpngroup foo idle-time 1800
vpngroup foo password ********

The tunnel is swallowing ALL dns requests. Obviously the clients are
getting DNS settings from the vpngroup and after a connection is made
all requests go to those servers. This isn't going to work. I need to
also be able to resolve DNS names from the client side network and
connect to them. Right now I can't do that since the internal DNS on
the client side is not public. And the VPN side has no way to
replicate these entries, nor would I want to.

Are there any tricks i'm missing to get the Cisco client to only send
requests for "foo.net" and "foo.org" down the tunnel and send the rest
in the clear to the local DNS on the client side?; Posted by Jyri Korhonen on June 8th, 2005; "Grunteled" <origin197511@yahoo.com> wrote:

I'm afraid there isn't much you can do. If you define

vpngroup dns-server X [Y]

then all DNS requests are destinated to it/them when you have
opened a VPN connection. However I'm not sure if this is
strictly a VPN client problem because I made a quick check and
couldn't figure out how you can set up Windows to ask DNS
information for domain X from server Y (I'm using Windows 2000
Server). Can you do it?
If this feature is not implemented into the underlying OS then
there's no way that the VPN client could override it.; Posted by Grunteled on June 9th, 2005; I'm pretty sure is is *possible*. My old SHIVA vpn client would do it.
I'm also pretty sure it works in the 3000 concentrators. I just found
it odd that the command does nothing even though the log on the VPN
client says that it's enabled and gets the correct settings.

This can't be a new thing that Cisco never imagined people would need.

Similar Posts

Cisco VPN Split tunnel (Routers) by patelbg
Cisco 837, Pix 515 Firewall, Easy VPN and split tunneling (Routers) by Bob Smith
Help with Microsoft Outlook split command line (Computers & Technology) by ROBERT BROOKS
Split Tunneling and Cisco VPN client (Routers) by John Sasso
Cisco VPN - Split tunneling (Routers) by The Entitty