Cisco ASA 5505 User Manual
Page 1478
 
67-52
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# default-domain value FirstDomain
Defining a List of Domains for Split Tunneling
Enter a list of domains to be resolved through the split tunnel. Enter the split-dns command in 
group-policy configuration mode. To delete a list, enter the no form of this command.
When there are no split tunneling domain lists, users inherit any that exist in the default group policy. 
To prevent users from inheriting such split tunneling domain lists, enter the split-dns command with the 
none keyword.
To delete all split tunneling domain lists, enter the no split-dns command without arguments. This 
deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns 
command with the none keyword.
The parameter value domain-name provides a domain name that the ASA resolves through the split 
tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list with a null 
value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or 
specified group policy. The syntax of the command is as follows:
hostname(config-group-policy)# split-dns {value domain-name1 [domain-name2...
domain-nameN] | none}
hostname(config-group-policy)# no split-dns [domain-name domain-name2 domain-nameN]
Enter a single space to separate each entry in the list of domains. There is no limit on the number of 
entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric 
characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, 
you must explicitly include that name in this list.
The following example shows how to configure the domains Domain1, Domain2, Domain3, and 
Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4
Configuring DHCP Intercept
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 
bytes. To avoid this problem, the ASA limits the number of routes it sends to 27 to 40 routes, with the 
number of routes dependent on the classes of the routes.
DHCP Intercept lets Microsoft Windows XP clients use split-tunneling with the ASA. The ASA replies 
directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the 
subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients 
prior to Windows XP, DHCP Intercept provides the domain name and subnet mask. This is useful in 
environments in which using a DHCP server is not advantageous. 
The intercept-dhcp command enables or disables DHCP intercept. The syntax of this command is as 
follows:
[no] intercept-dhcp
hostname(config-group-policy)# intercept-dhcp netmask
{enable | disable}
hostname(config-group-policy)#
The netmask variable provides the subnet mask for the tunnel IP address. The no version of the command 
removes the DHCP intercept from the configuration.