Cisco PIX 506e
We have some VPN users who cannot access our company website or Outlook over the Web site when connected to the Company VPN. They can access any other website except ours. When they disconnect from the company VPN, they can access our company websites fine.
I checked their Cisco VPN client, and they DO have "Allow local LAN access" checked.
Is there anything else I should be looking for?
Thanks
Where's the website, where's the VPN tunnel terminated, what their LAN has to do with it?
The website is located on a server on our network behind our Cisco PIX
506e firewall. I am not sure where the VPN tunnel is terminated...how could I find that out?Thanks
If I get it all right, those VPN Client users that connect to Your VPN Concentrator (something that terminates their VPN connections) can't access websites that are located somewhere in Your network and are NATed on public addresses (they can access them without the VPN connection), right?
PS. "Allow local LAN access" option makes the route to their LAN still available after the VPN tunnel goes up.
Correct, the VPN users, when connected to the company VPN cannot access publically available company websites. And I do have the Allow local LAN access checkbox checked in their VPN Client software. However when they disconnect from our VPN, they CAN access those websites. So for some reason, being connected to the VPN is preventing them from accessing the company websites.
By the way, we are using a Cisco PIX 506e with the 6.3 software. The PIX is our firewall/VPN and all of our servers are behind the PIX.
Thanks
The website is located on a server on our network behind our Cisco PIX
506e firewall. I am not sure where the VPN tunnel is terminated...how could I find that out?-----------------------------------------------
This is probably because they're trying to access these servers using public domain names which will resolve to public IP addresses. You can't connect to these external static mapped addresses with a PIX when you're on the inside network - which is what you are after connecting via VPN. The easiest solution to this is to create additional DNS entries for these public addresses on your internal DNS servers that point to the internal IP addresses of the servers you require access to.
Cheers, John
So in Windows 2003 A/D DNS create a new entry in Reverse Lookup Zones to point
Thanks!
Almost.... but it needs to be a forward lookup zone entry. If you're using
2003 AD/DNS you will already have a yourdomain.local zone configured with local entries. Assuming your public domain is different (which it should be) you will need to add the zone webpage.com and then add the appropriate host A records (e.g. www -> 192.168.x.x).You also need to ensure that you've configured your PIX to hand out the correct DNS servers for VPN DHCP users.
Cheers, John
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.