ASA Access list. Allow traffic back in to our network?


We have two sites connected by VPN. Main 192.168.0.0/24 and Branch office (BO) 192.168.1.0/24

There is a single DNS domain for both sites (MS AD integrated), and a BIND server running our public DNS.

We have a webmail server at the main site, 192.168.0.4. that is accessible via port forwarding from the outside interface public IP, lets say 1.2.3.4

Externally everything works fine. Yay!

Internally, if I set the DNS entry for webmail.company.com on the internal DNS to 192.168.0.4 then the Branch office can't access webmail when the VPN is down (a business continuity requirement).

If I set it to 1.2.3.4 then I can't access webmail from the Main site. (obviously it's fine from the Branch office).

What rules do I need to put in place to allow the 192.168.0.0/24 subnet to access webmail?

Can this be done with a static route and a secondary IP on the webmail server, or should I be looking ot allow traffic out and then back in through nat?
Wibble_Asked:
Who is Participating?
 
John MeggersConnect With a Mentor Network ArchitectCommented:
First, your branch office is being NATed to some address when it goes out to the Internet.  So you can add an ACL on the head-end that permits DNS requests (or whatever other traffic is needed) from a source address of the NAT address (or subnet) from your remote office.  

But the underlying issue as I see it is if your VPN is down, it's probably because the ISP connection at one side or the other is down.  In which case, you're not going to be able to get traffic through anyway.  Your solution really only works if you're paying for a private WAN service (e.g., Verizon MPLS) as the primary path between sites, and using the VPN tunnel over the Internet as a backup.
0
 
CSorgConnect With a Mentor Commented:
agreed, approach this "a business continuity requirement" from a different angle, dont try to beat the unbeatable. Make sure you have an inplace backup line which would re-setup a vpn connection in case the main line goes woosh.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.