?
Solved

ASA Access list. Allow traffic back in to our network?

Posted on 2011-09-16
2
Medium Priority
?
340 Views
Last Modified: 2012-05-12

We have two sites connected by VPN. Main 192.168.0.0/24 and Branch office (BO) 192.168.1.0/24

There is a single DNS domain for both sites (MS AD integrated), and a BIND server running our public DNS.

We have a webmail server at the main site, 192.168.0.4. that is accessible via port forwarding from the outside interface public IP, lets say 1.2.3.4

Externally everything works fine. Yay!

Internally, if I set the DNS entry for webmail.company.com on the internal DNS to 192.168.0.4 then the Branch office can't access webmail when the VPN is down (a business continuity requirement).

If I set it to 1.2.3.4 then I can't access webmail from the Main site. (obviously it's fine from the Branch office).

What rules do I need to put in place to allow the 192.168.0.0/24 subnet to access webmail?

Can this be done with a static route and a secondary IP on the webmail server, or should I be looking ot allow traffic out and then back in through nat?
0
Comment
Question by:Wibble_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 1000 total points
ID: 36555347
First, your branch office is being NATed to some address when it goes out to the Internet.  So you can add an ACL on the head-end that permits DNS requests (or whatever other traffic is needed) from a source address of the NAT address (or subnet) from your remote office.  

But the underlying issue as I see it is if your VPN is down, it's probably because the ISP connection at one side or the other is down.  In which case, you're not going to be able to get traffic through anyway.  Your solution really only works if you're paying for a private WAN service (e.g., Verizon MPLS) as the primary path between sites, and using the VPN tunnel over the Internet as a backup.
0
 
LVL 7

Assisted Solution

by:CSorg
CSorg earned 1000 total points
ID: 36557186
agreed, approach this "a business continuity requirement" from a different angle, dont try to beat the unbeatable. Make sure you have an inplace backup line which would re-setup a vpn connection in case the main line goes woosh.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question