vpn client access to internal server via outside address

Unanswered Question
Apr 30th, 2007
User Badges:
  • Green, 3000 points or more

Is is possible for a remote access vpn client to connect to a server on the inside or dmz with it's outside address? ASA 7.2.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 04/30/2007 - 09:43
User Badges:
  • Green, 3000 points or more

Split tunneling would obviously work, but is there any way without enabling split tunnel?

Is there a way to selectively rewrite dns (dns doctoring) when requests are from certain subnet (vpn client)?

jdehnert Tue, 05/01/2007 - 08:52
User Badges:

I have what sounds like the same problem. I have a mail server on a DMZ net off of a ASA5510. I have things set up so I can access it from a) the internet and b) the internal lan, BUT users who come in using the VPN cannot connect. They do resolve the address of the mail server to the internal address, but they can never connect.

I have thought about using a split DNS that just gives the VPN users the external IP address of the mail server, and forwards all the other addresses to the internal DNS servers, but that seems like a kludge.

For the record, the company info is incorrect on my account. I am no longer with Cisco. It was fun when I was though.

acomiskey Tue, 05/01/2007 - 09:33
User Badges:
  • Green, 3000 points or more

No, your problem is not the same. You need to add the dmz traffic to your interesting traffic in your crypto acl and also add nat exemption on dmz.

access-list permit ip

access-list dmz_nat0_outbound permit ip host

nat (dmz) 0 access-list dmz_nat0_outbound

I am attempting to use a pair of CSS which resolve to public ip only.

edit: jdehnert, check your other post


This Discussion