×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access Outside VPN IP from Inside

Unanswered Question
Jun 24th, 2012
User Badges:

Hi,


Currently I have my VPN working fine for external users, but would like to give access to my internal "Guest" users as well.

I know I can enable VPN on the inside interface, but the problem here is that my guests use Google's DNS servers, so my VPN record always points to the outside IP address. I don't want to be forced to setup a new DNS server just for this, or to use different DNS records for when the users are inside.

I would like to ask:


- How can I allow inside users access VPN through outside IP address?

- Alternativelly, how can I make ASA rewrite the google's return DNS record to my inside VPN address?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 06/24/2012 - 05:24
User Badges:
  • Cisco Employee,

Firstly, what is the purpose of VPN within the inside network because essentially the traffic will only be encrypted towards the ASA, and traffic between the ASA back towards the internal resources are unencrypted anyway and they are all within your internal network.


To answer your question:

- You can't VPN to the outside IP if you are connected to the inside interface of the ASA. You can however VPN to the inside interface of the ASA if required.

Ricardo Duarte Sun, 06/24/2012 - 14:36
User Badges:

Hi Jenifer,


Any way to rewrite the DNS response then? My DNS responses for the VPN record are coming from outside, so maybe I can make ASA rewrite them.


About the purpose:

- I want to provide encryption over unencrypted wireless guest network

- I want to provide encryption over WEP wireless network for devices that don't support WPA

- I want to apply ACL based on posture (ASA DAP + Hostscan)

- I want to allow users to access their familiar Clientless VPN portal

- I want to be able to deploy Anyconnect client when users are inside, in the same way I do when they are outside

- I want to enable my users to setup/test the connection before they leave the building

- I can't connect my "guests" to an outside network


Thanks.

Jennifer Halim Mon, 06/25/2012 - 01:48
User Badges:
  • Cisco Employee,

You can't rewrite DNS response on the ASA interface itself. You can only rewrite DNS for your NAT translation host unfortunately.

Actions

This Discussion