anyconnect ssl vpn and acl

Answered Question
May 3rd, 2014
User Badges:

 

 Hi Everyone,

I was testing few things at my home lab.

 

PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)

anyconnect ssl is working fine and i am also able to access internet.

I am using full tunnel

i have acl on outside interface of ASA

1Trueany  any ipDeny0Default []

 

 

i know that ACL is used for traffic passing via ASA.

I need to understand the traffic flow for access to internet via ssl vpn.?

 

Regards

MAhesh

 

 

Correct Answer by Karsten Iwen about 3 years 3 months ago

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

Correct Answer by Karsten Iwen about 3 years 3 months ago

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Karsten Iwen Sat, 05/03/2014 - 07:50
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

mahesh18 Sat, 05/03/2014 - 07:57
User Badges:

 

Hi Karsten,

 

Thanks for great reply back so now i can say that internet is working as traffic hits the outside interface

of ASA and then goes to the internet?

I am just trying to understand where in ASA  my traffic hits.

hope make sense

 

Regards

MAhesh

Correct Answer
Karsten Iwen Sat, 05/03/2014 - 08:29
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

Karsten Iwen Sat, 05/03/2014 - 08:38
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You're welcome, keep on learning and come back to the support-communities.

Actions

This Discussion