Okay let me explain you
it doest matter that they have no mpls or vpn... they will still stablish a tunnel with his own ipsec tunnel.
So this mean that they are on remote AP which will make an ipsec tunnel which will do a GRE tunnel which means you can use tunnel mode as forward method if you want
Putting it on Split tunneling or tunnel mode will result in the same case...
When you are doing split tunneling and you got for example this rules something like this
1 any any svc-dhcp permit Low 4
2 user Internal_Network any permit Low 4
3 Internal_Network user any permit Low 4
4 user any any route src-nat Low 4
Put attention the numbers int he begginig
rule 1 2 3 those are tunneled to the corporate
just rule number 4 will be not tunneled
Thats why its called split tunneling becasue some rules are tunneled back and some others are not...
In your case in which you just want them to access the internal website but through the external ip addresses eve if you use split tunneling they are been tunneled back... so the results its the same...
Now if you put them on tunneled mode but still you are providing those remote users with external DNS..
1-The user will request the external DNS server to translate that page
2-The external DNS server will respond with the external ip address
3-They will access the page through the external address.
Now you on your HQ will need to permit DNS query to those remote users...
Now if you put them with split tunneling and also use it as collin advised which it works.... as i tested it with 2 pages of whatsmy ip.... the one i wanted was being send through the tunnel and the other was send though the remote site which was my home with this test....
Now if you want you could try this...
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4
2 user any svc-dns route src-nat Low
3 user corportewebsite any route src-nat Low
This way you will be sending the traffic of them and just permiting it tot he corporate website IPS
This means on the rule one you permitting them to get the DHCP
On rule 2 you are permiting them to do DNS queryes to the internet on the remote site
On the rule 3 youare permitting them just the list of corporate websites ips....
Now i havent tested it but i bealvie it will work...
When they do this
www.corporatewebsite.com
DNs will tranform that to the IP address for example 200.200.31.2
As you permitted 20.200.31.2 he will let him pass thorugh, and he will be going through the internet of the remote Site
Here you wont be using any webfiltering or anything... you are staticallly telling him that he just can go to those IPS, rather than using webfilter...
For now thats the option i have though for now.. i dont know if Collin got better ideas.