Juniper SA Remote access virtual appliance behind Cisco ASA

orsonjoon · ‎08-19-2014

Hi,

I have an issue I just can figure out, but hopefully a lot of smart people on this forum can :)

In a lab I build a Juniper SA SSL remote access on the inside network, and SSL VPN works to this device from within the inside network.

On the edge between the inside and the outside network I have an Cisco ASA with Anyconnect SSL VPN, and this one works from the outside.

But now I want to make the Juniper SA accesible from the outside network, so I figured NAT port translation can do this, because obviously TCP port 443 is used by the ASA SSL VPN.

So I created this ACL:

object network Juniper.SA
host 10.10.10.224

access-list outside_access_in extended permit tcp any object Juniper.SA eq https log debugging

And this matching NAT rule:

object network Juniper.SA
nat (inside,outside) static interface service tcp https 4443

And this is the NAT table:

TCP PAT from inside:10.10.10.224 443-443 to outside:100.100.100.1 4443-4443

So now when I try to connect to the Juniper SA with a browser on the outside network (https://100.100.100.1:4443) at first I get a certificate warning from the self signed certificate in the Juniper SA, and when I click OK I get this weird message:

https://100.100.100.1/+CSCOE+/message.html?mc=2

Wrong URL.

It looks like the ASA is responding for the Juniper or something, because the certificate of the ASA is presented when this message appears.

What's wrong here, please help me out, thanks.

Karsten Iwen · ‎08-19-2014

If you get to the juniper in first place, then the ASA has no knowledge what is happening inside the HTTPS-session. If you land later on the ASA, then it's very likely that the Juniper has sent a redirect to the browser or you are just following a link that has the port TCP/443 in it. Possible ways to solve that:

Us a different public IP on the ASA so that you don't have to translate the port.
Let Anyconnect run on a non-standard-port and configure the NAT for the Juniper without PAT, so that TCP/443 is used exclusively for the Juniper.
Tell the Juniper that the public port is different to the local port. But I have no idea if that is possible.

orsonjoon · ‎08-21-2014

Hi Karsten. Thanks for the reply.

Not all the options are feasable or wanted, because:

1) Because it's a lab on a ADSL only 1 public IP address is allowed by the provider

2) I tested option 2 and it worked!, but It's not really what I want, because Anyconnect is used to provide access to the lab, and we want this to be the standard solution. We only want to test the Juniper SA. So I restored the original situation.

3)Change the port on the Juniper.... right, you think it's easy and a quick solution, but unfortunately I don't think it's possible. http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841

Other users on this Juniper forum experienced the same issue, but not a real solution so far.... hmm I think we can better hang on to Cisco :)