acomiskey Mon, 04/30/2007 - 09:43

Split tunneling would obviously work, but is there any way without enabling split tunnel?

Is there a way to selectively rewrite dns (dns doctoring) when requests are from certain subnet (vpn client)?

jdehnert Tue, 05/01/2007 - 08:52

I have what sounds like the same problem. I have a mail server on a DMZ net off of a ASA5510. I have things set up so I can access it from a) the internet and b) the internal lan, BUT users who come in using the VPN cannot connect. They do resolve the address of the mail server to the internal address, but they can never connect.

I have thought about using a split DNS that just gives the VPN users the external IP address of the mail server, and forwards all the other addresses to the internal DNS servers, but that seems like a kludge.

For the record, the company info is incorrect on my account. I am no longer with Cisco. It was fun when I was though.

acomiskey Tue, 05/01/2007 - 09:33

No, your problem is not the same. You need to add the dmz traffic to your interesting traffic in your crypto acl and also add nat exemption on dmz.

access-list permit ip

access-list dmz_nat0_outbound permit ip host

nat (dmz) 0 access-list dmz_nat0_outbound

I am attempting to use a pair of CSS which resolve to public ip only.

edit: jdehnert, check your other post


This Discussion