I am trying to sole the same issue described below where users who are VPNing to corporate need to get to DMZ off an ISR with ZBPF. The IP address of the resource is the same internally and externally. The question I have is double-nat such as described in the article below ok on IOS firewall and is it the best solution to the problem? As noted - you could solve the issue by having a separate internal DNS but we'd rather not go down that route. Thank-you.