Take a look at the access lists. Are your VPN clients allowed to connect to the dmz server? See the logs on the ASA to see why the connections from the VPN clients to the server in DMZ are not working.
Do they have to use the inside DNS server. You can set them up with an outside DNS and then you won't be having the problem you have.
| Thanks Morph. I thinkI got that working this morning since printing. I | added a "zone file" to the DNS server and gave it the internal IPs. | But now I have to figure out how to | handle my remote VPN users. They hit the same DNS servers. I think | there must be something config wise that I have to add to the ASA5505. | I just had a user call in that | couldn't get to the mail or web server. I had to manually add entries | to the HOSTS file with the external/routable IPs and it works for | them. | | | On Dec 3, 8:47 am, Morph wrote: | > In the message | > TimParker wrote: | >
| > Then just create an A record for your webserver that points to the | > address in the DMZ. You should do that on your DNS server. | >
| > | No, the DNS server is internal on our Network. Naturally, if it | > | doesn't find what it is looking for, it resolves off the internet root | > | servers (ISP, etc). | > | | > | On Dec 2, 4:57 pm, Morph wrote: | > | > In the message | > | > | > | >| > TimParker wrote: | >
| > | >
| > | > | I just finally finished converting our offices over to using Cisco | > | > | hardware that we bought a few months back. (871 routers for the remote | > | > | offices and a 5505 for the main office). | > | > | | > | > | I have it configured with an outside, inside and dmz interface. Our | > | > | company web server and external mail server naturally live in the DMZ | > | > | (192.168.18.x). | > | > | | > | > | The problem is when we try and hit the website it can't seem to get | > | > | there. If I had entries in the hosts files on the PC with the Internal | > | > | address it works fine. Normally, it would resolve to the external | > | > | address (204.210.x.y) | > | > | | > | > | What type of rule do I need. I have tried putting one in both the DMZ | > | > | and inside rules sections to allow TCP-HTTP and TCP-HTTPS to the | > | > | server in question. | > | >
| > | > If I understand correctly you are using a public DNS server and when you | > | > try to access your website from insind of your network, the DNS name is | > | > resolved to the public IP address and you can not access the page? | > | >
| > | > If this is the case, then have a look at this (DNS Doctoring):
formatting link