cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
0
Helpful
3
Replies

Access Outside VPN IP from Inside

Ricardo Duarte
Level 1
Level 1

Hi,

Currently I have my VPN working fine for external users, but would like to give access to my internal "Guest" users as well.

I know I can enable VPN on the inside interface, but the problem here is that my guests use Google's DNS servers, so my VPN record always points to the outside IP address. I don't want to be forced to setup a new DNS server just for this, or to use different DNS records for when the users are inside.

I would like to ask:

- How can I allow inside users access VPN through outside IP address?

- Alternativelly, how can I make ASA rewrite the google's return DNS record to my inside VPN address?

Thanks.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Firstly, what is the purpose of VPN within the inside network because essentially the traffic will only be encrypted towards the ASA, and traffic between the ASA back towards the internal resources are unencrypted anyway and they are all within your internal network.

To answer your question:

- You can't VPN to the outside IP if you are connected to the inside interface of the ASA. You can however VPN to the inside interface of the ASA if required.

Hi Jenifer,

Any way to rewrite the DNS response then? My DNS responses for the VPN record are coming from outside, so maybe I can make ASA rewrite them.

About the purpose:

- I want to provide encryption over unencrypted wireless guest network

- I want to provide encryption over WEP wireless network for devices that don't support WPA

- I want to apply ACL based on posture (ASA DAP + Hostscan)

- I want to allow users to access their familiar Clientless VPN portal

- I want to be able to deploy Anyconnect client when users are inside, in the same way I do when they are outside

- I want to enable my users to setup/test the connection before they leave the building

- I can't connect my "guests" to an outside network

Thanks.

You can't rewrite DNS response on the ASA interface itself. You can only rewrite DNS for your NAT translation host unfortunately.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: