08-22-2008 11:12 AM - edited 02-21-2020 03:54 PM
Hi all,
Is it possible to connect to a clientless SSL VPN and access a website that's located over a site-to-site VPN connection on the same device? I have the site-to-site working fine but when I try to access with the clientless SSL VPN, it doesn't route over the site-to-site tunnel. What am I missing?
Thanks
Victor
08-22-2008 11:27 AM
I assume you are trying to ssl vpn to the outside interface address of the ASA? And you want this traffic to go over the tunnel?
You need to add the interface ip to the interesting traffic on the ASA's and also the nat0 acl on the remote end ASA.
For instance, if the outside address of the ssl server ASA is 1.1.1.1 and local ssl vpn client address is in 192.168.1.0/24.
Local ASA-
access-list crypto extended permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1
access-list nat0 extended permit 192.168.1.0 255.255.255.0 host 1.1.1.1
Remote ASA-
access-list crypto extended permit ip host 1.1.1.1 192.168.1.0 255.255.255.0
That should allow you to hit 1.1.1.1 over the vpn tunnel. Hope that helps.
08-22-2008 12:38 PM
Thanks for the prompt reply.
If the remote site-to-site tunnel connection profile is using the public interface that I'm using to SSL in, will the access list added to the remote ASA cause any problems?
Also, assume I'll also need (assuming remote network is 192.168.2.0/24):
access-list nat0 extended permit 192.168.2.0 255.255.255.0 host 1.1.1.1
Thanks again
Victor
08-22-2008 01:58 PM
Should not cause issues. All you are doing is adding traffic that you want to be encrypted across the tunnel. You will add the access list statements to the one's which already exist for the tunnel. If the remote network is 192.168.2.0, just replace 192.168.1.0 with that in the post above. Post up the configs before if you feel more comfortable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: