Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

ASA Access list. Allow traffic back in to our network?


We have two sites connected by VPN. Main 192.168.0.0/24 and Branch office (BO) 192.168.1.0/24

There is a single DNS domain for both sites (MS AD integrated), and a BIND server running our public DNS.

We have a webmail server at the main site, 192.168.0.4. that is accessible via port forwarding from the outside interface public IP, lets say 1.2.3.4

Externally everything works fine. Yay!

Internally, if I set the DNS entry for webmail.company.com on the internal DNS to 192.168.0.4 then the Branch office can't access webmail when the VPN is down (a business continuity requirement).

If I set it to 1.2.3.4 then I can't access webmail from the Main site. (obviously it's fine from the Branch office).

What rules do I need to put in place to allow the 192.168.0.0/24 subnet to access webmail?

Can this be done with a static route and a secondary IP on the webmail server, or should I be looking ot allow traffic out and then back in through nat?
0
Wibble_
Asked:
Wibble_
2 Solutions
 
jmeggersCommented:
First, your branch office is being NATed to some address when it goes out to the Internet.  So you can add an ACL on the head-end that permits DNS requests (or whatever other traffic is needed) from a source address of the NAT address (or subnet) from your remote office.  

But the underlying issue as I see it is if your VPN is down, it's probably because the ISP connection at one side or the other is down.  In which case, you're not going to be able to get traffic through anyway.  Your solution really only works if you're paying for a private WAN service (e.g., Verizon MPLS) as the primary path between sites, and using the VPN tunnel over the Internet as a backup.
0
 
CSorgCommented:
agreed, approach this "a business continuity requirement" from a different angle, dont try to beat the unbeatable. Make sure you have an inplace backup line which would re-setup a vpn connection in case the main line goes woosh.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now