ASA Access list. Allow traffic back in to our network?
Posted on 2011-09-16
We have two sites connected by VPN. Main 192.168.0.0/24 and Branch office (BO) 192.168.1.0/24
There is a single DNS domain for both sites (MS AD integrated), and a BIND server running our public DNS.
We have a webmail server at the main site, 192.168.0.4. that is accessible via port forwarding from the outside interface public IP, lets say 220.127.116.11
Externally everything works fine. Yay!
Internally, if I set the DNS entry for webmail.company.com on the internal DNS to 192.168.0.4 then the Branch office can't access webmail when the VPN is down (a business continuity requirement).
If I set it to 18.104.22.168 then I can't access webmail from the Main site. (obviously it's fine from the Branch office).
What rules do I need to put in place to allow the 192.168.0.0/24 subnet to access webmail?
Can this be done with a static route and a secondary IP on the webmail server, or should I be looking ot allow traffic out and then back in through nat?