I have a Cisco SA540 running the latest 2.1.18 firmware. This firmware supports the Cisco VPN Client and it works quite well with Apple Mac OS X and iPhone. It seems that as a default, the SA IPSec server provides split tunneling: subnets on the LAN side of the SA are accessed from the client through the IPSec tunnel, and other networks are directly accessed. This behavior is fine for me.
Now, here is my problem. The SA firmware does not seem to support split DNS, i.e. I found no way to give the address of a LAN DNS server to a client connecting to through the IPSec tunnel. So a client must know the real IP addesses of the hosts it wants to access on the remote LAN. Please, does anybody know a way to inform an IPSec client of the address of a DNS server running on the private LAN?
In other words, I would like to find a way to do what the following IOS commands bold do:
ip access-list extended mysplitacl
permit ip 192.168.1.0 0.0.0.255 any
crypto isakmp client configuration group myvpngroup