SSL vpn

Unanswered Question
Aug 17th, 2007
User Badges:

When I'm connected to my ASA 7 with the VPN client and change a Windows route, I get this message:

SSL VPN connection was terminated due to an IP forwarding table modification and could not be automatically re-established.


Can I change this behavior? I'm the administrator of the ASA firewall


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1.8 (3 ratings)
Loading.
carenas123 Thu, 08/23/2007 - 08:48
User Badges:
  • Silver, 250 points or more

In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.


http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/web_vpn.html#wp1059082

If you are trying to modify the routing table on the SSL VPN client host, this is normal behaviour. The SSL VPN client sets up routes based on the ASA's VPN configuration (split-tunneling).

Modifying the routes on the client host could be an attempt to subvert the security of the connection, so the client will monitor the route table, and, as you have noticed, disconnect you if it is modified.

If you require different routes on the client host your best option is to configure the split-tunneling to only include the routes of the protected network. Of course, this has other security implications.

ciscors Thu, 08/23/2007 - 09:25
User Badges:

Basically this is a lab environment hence I need to add other routes to reach local hosts (not necessarily over the vpn tunnel. The SSL VPN client detects these changes and disconnects me. I wish there was an option on the ASA which could allow this. Even though it can be used to subvert, access lists can be used to protect against this. Also, NAT rules may already disallow this

Well, you could try setting up the split-tunneling for your testing.

In ASDM go to Remote Access VPN > Network (Client) Access > Group Policies, and open your policy. In the policy go to Advanced > Split Tunneling > Policy (the second item on that page) and you can choose from 'Tunnel All Networks', 'Tunnel Networks Listed Below' or 'Exclude Networks Listed Below'. Then for the Network List you will assign an ACL that contains the networks you want to tunnel or exclude.

But, you cannot change them on-the-fly on the SSL VPN client host.

Actions

This Discussion