cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1378
Views
0
Helpful
4
Replies

SSL vpn back through the same internet conenction to another site

asoka
Level 1
Level 1

Hi, I have a network with a  Juniper SSL box, which connect to ASA5510 DMZ port, wher outside of the ASA is same as the outside of the SSL vpn box.

Accessing the internal network hav eno issues at all.

Now I need remote users SSL VPN to Juniper box and internaly conenct o my remote sites, which take the client connection via internet router again(throug Cisco site-to-site IPSec vpn) to th eremote site.

Can this be done, my gut feeling is "yes can be done"

Currently I am get tting no where, I dont get any ASA DMZ ACL hits if I try to access remote site resources from SSL vpn client.

DIagram attached

Any help would be appreciated

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

View solution in original post

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

Thanks Halijenn, That is exactly what I did, but, without NAT exemption. My site to site IPSec tunnel is between two routers, so do I need to exempt NAting for SSL pool in the ASA

Regards

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

HI, Thanks, in may case it was a wrong static staement causing the problem,

appreciate your support on this issue, thanksagain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: