Clientless SSL VPN going over site-to-site tunnel

vpoon87 · ‎08-22-2008

Hi all,

Is it possible to connect to a clientless SSL VPN and access a website that's located over a site-to-site VPN connection on the same device? I have the site-to-site working fine but when I try to access with the clientless SSL VPN, it doesn't route over the site-to-site tunnel. What am I missing?

Thanks

Victor

acomiskey · ‎08-22-2008

I assume you are trying to ssl vpn to the outside interface address of the ASA? And you want this traffic to go over the tunnel?

You need to add the interface ip to the interesting traffic on the ASA's and also the nat0 acl on the remote end ASA.

For instance, if the outside address of the ssl server ASA is 1.1.1.1 and local ssl vpn client address is in 192.168.1.0/24.

Local ASA-

access-list crypto extended permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

access-list nat0 extended permit 192.168.1.0 255.255.255.0 host 1.1.1.1

Remote ASA-

access-list crypto extended permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

That should allow you to hit 1.1.1.1 over the vpn tunnel. Hope that helps.

vpoon87 · ‎08-22-2008

Thanks for the prompt reply.

If the remote site-to-site tunnel connection profile is using the public interface that I'm using to SSL in, will the access list added to the remote ASA cause any problems?

Also, assume I'll also need (assuming remote network is 192.168.2.0/24):

access-list nat0 extended permit 192.168.2.0 255.255.255.0 host 1.1.1.1

Thanks again

Victor

acomiskey · ‎08-22-2008

Should not cause issues. All you are doing is adding traffic that you want to be encrypted across the tunnel. You will add the access list statements to the one's which already exist for the tunnel. If the remote network is 192.168.2.0, just replace 192.168.1.0 with that in the post above. Post up the configs before if you feel more comfortable.