• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

ASA Access list. Allow traffic back in to our network?

We have two sites connected by VPN. Main and Branch office (BO)

There is a single DNS domain for both sites (MS AD integrated), and a BIND server running our public DNS.

We have a webmail server at the main site, that is accessible via port forwarding from the outside interface public IP, lets say

Externally everything works fine. Yay!

Internally, if I set the DNS entry for webmail.company.com on the internal DNS to then the Branch office can't access webmail when the VPN is down (a business continuity requirement).

If I set it to then I can't access webmail from the Main site. (obviously it's fine from the Branch office).

What rules do I need to put in place to allow the subnet to access webmail?

Can this be done with a static route and a secondary IP on the webmail server, or should I be looking ot allow traffic out and then back in through nat?
2 Solutions
jmeggersSr. Network and Security EngineerCommented:
First, your branch office is being NATed to some address when it goes out to the Internet.  So you can add an ACL on the head-end that permits DNS requests (or whatever other traffic is needed) from a source address of the NAT address (or subnet) from your remote office.  

But the underlying issue as I see it is if your VPN is down, it's probably because the ISP connection at one side or the other is down.  In which case, you're not going to be able to get traffic through anyway.  Your solution really only works if you're paying for a private WAN service (e.g., Verizon MPLS) as the primary path between sites, and using the VPN tunnel over the Internet as a backup.
agreed, approach this "a business continuity requirement" from a different angle, dont try to beat the unbeatable. Make sure you have an inplace backup line which would re-setup a vpn connection in case the main line goes woosh.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now