Cisco PIX 506 and split-dns command

I'm working with a PIX 506 to setup VPN from an office location to my home network. The PIX is at my home and I'm using the Cisco VPN client on an XP workstation.

My problem is thus:

I can get a split tunnel working and get connected. Everything works great. Too great. In spite of the command:

vpngroup foo address-pool vpn-address-3 vpngroup foo dns-server helios titan vpngroup foo wins-server helios vpngroup foo split-tunnel foo_splitTunnelAcl vpngroup foo split-dns vpngroup foo idle-time 1800 vpngroup foo password ********

The tunnel is swallowing ALL dns requests. Obviously the clients are getting DNS settings from the vpngroup and after a connection is made all requests go to those servers. This isn't going to work. I need to also be able to resolve DNS names from the client side network and connect to them. Right now I can't do that since the internal DNS on the client side is not public. And the VPN side has no way to replicate these entries, nor would I want to.

Are there any tricks i'm missing to get the Cisco client to only send requests for "" and "" down the tunnel and send the rest in the clear to the local DNS on the client side?

Reply to
Loading thread data ...

I'm afraid there isn't much you can do. If you define

vpngroup dns-server X [Y]

then all DNS requests are destinated to it/them when you have opened a VPN connection. However I'm not sure if this is strictly a VPN client problem because I made a quick check and couldn't figure out how you can set up Windows to ask DNS information for domain X from server Y (I'm using Windows 2000 Server). Can you do it? If this feature is not implemented into the underlying OS then there's no way that the VPN client could override it.

Reply to
Jyri Korhonen

I'm pretty sure is is *possible*. My old SHIVA vpn client would do it. I'm also pretty sure it works in the 3000 concentrators. I just found it odd that the command does nothing even though the log on the VPN client says that it's enabled and gets the correct settings.

This can't be a new thing that Cisco never imagined people would need.

Reply to
Grunteled Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.