I've got the following set up:
LAN -> DHCP / DNS / VPN server (OSX 10.6) -> Cisco ASA 5505 -> WAN
Connecting to the LAN via VPN works fine. I get all the details properly and I can ping any host on the internal network using their IP. However, I can't do any host lookups whatsoever. I've looked through the logs on and found this nugget in the firewall log:
3 Sep 08 2010 10:46:40 305006 10.0.0.197 65371 portmap translation creation failed for udp src inside:myhostname.local/53 dst inside:10.0.0.197/65371
Port 53 is DNS services, no? Because of that log entry, I'm thinking that the issue is with the firewall, not the server. Any ideas? Please keep in mind that I have very little knowledge and experience with this kind of firewall and the little experience I do have is with the ASDM GUI console, not the CLI console.
1) Are your clients establishing the tunnel directly with the ASA or with the "VPN server" in your diagram? 2) Are your VPN clients being given the same IP range as your internal network or a separate range?
Based on the log entry, it sounds like your clients are establishing the tunnel to the ASA and given a different subnet than the internal network. If this is the case, I think you need a NAT exemption rule on your ASA to tell it not to try and NAT traffic between your internal IP range and your VPN IP range. This preserves your source (VPN subnet) and destination networks (internal subnet) so the ASA doesn't think it needs a public/private NAT rule for access to the internal network based on the 2 interfaces it is seeing the traffic come through on. In the GUI this is under: Configuration tab>>Firewall>>NAT Rules although I've had mixed experiences making rules like this in the GUI - might have to go to the CLI.
In my experience this should work with the out of the box config of the ASA. Check for any DHCP settings on the ASA that might be overriding your settings from your LAN DHCP server.
Lines to look for are
dhcpd domain,dhcpd dnsanddhcpd auto_config.The setup I use is pretty robust, but has the ASA doing DHCP for the local clients - this means that if the VPN goes down, users still have access to local systems.
I have no experience with the specific hardware you are working with. However, with openvpn, you need to have bridge the network for dns queries to work. From the sounds of things, you already have a bridged VPN set up (i.e. your client ip address is on the same range as that of the destination network).
When you set up a bridged network like so, your dns server might still be binding to the original ethernet interface instead of the new bridged interface.
If that is the case, the packets will not get router correctly. Get the DNS Server to bind to the bridge interface or even better to the ip address of the bridge interface so that it will work regardless of whether the VPN is active or not.
I has the same issue with Cisco VPN Client working with USB GSM modem. The problem was solved using the next sentence in ASA Cisco ASA.
Where "dominioprivado1.com dominioprivado1.org dominioprivado1.net" are the DNS zones that contain the servers's names privates.