SSL vpn back through the same internet conenction to another site

Answered Question

Hi, I have a network with a  Juniper SSL box, which connect to ASA5510 DMZ port, wher outside of the ASA is same as the outside of the SSL vpn box.

Accessing the internal network hav eno issues at all.

Now I need remote users SSL VPN to Juniper box and internaly conenct o my remote sites, which take the client connection via internet router again(throug Cisco site-to-site IPSec vpn) to th eremote site.

Can this be done, my gut feeling is "yes can be done"

Currently I am get tting no where, I dont get any ASA DMZ ACL hits if I try to access remote site resources from SSL vpn client.

DIagram attached

Any help would be appreciated

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 3 months ago

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

Correct Answer by Jennifer Halim about 6 years 3 months ago

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 08/09/2010 - 03:26

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

Correct Answer
Jennifer Halim Tue, 08/10/2010 - 05:03

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

Actions

This Discussion