×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

clientless vpn and ssh to outside interface of ASA

Answered Question
Apr 17th, 2014
User Badges:

 

Hi Everyone,

I was testing clientless ssl at my home lab.

While connected via clientless vpn  i am able to ssh ASA outside interface but when i use ssl vpn only i can not ssh to outside interface of ASA.

Need to understand how i am able to ssh to outside interface of ASA using clientless ssl vpn?

 

Regards

MAhesh

 

Correct Answer by Marvin Rhoads about 3 years 4 months ago

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

Correct Answer by Marvin Rhoads about 3 years 4 months ago

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marvin Rhoads Thu, 04/17/2014 - 19:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

mahesh18 Fri, 04/18/2014 - 06:01
User Badges:

 

Hi Marvin,

 

When using clientless VPN when we use plugins to access server or PC via RDP,ssh does it mean then no NAT is involved?

or we can say when we use clientless VPN then no NAtting is involved at all?

Does it mean that when i am connected to ASA via SSL VPN i can still ssh to outside interface of ASA

while using full tunnel?

Here is nat config from ASA

ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel


nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup description Site_To_Site_VPN NAT


nat (inside,outside) source static inside inside destination static inside inside
nat (sales,outside) source static sales sales destination static sales sales
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN

Best regards

MAhesh

Correct Answer
Marvin Rhoads Fri, 04/18/2014 - 07:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

Actions

This Discussion