08-19-2014 11:18 AM
Hi,
I have an issue I just can figure out, but hopefully a lot of smart people on this forum can :)
In a lab I build a Juniper SA SSL remote access on the inside network, and SSL VPN works to this device from within the inside network.
On the edge between the inside and the outside network I have an Cisco ASA with Anyconnect SSL VPN, and this one works from the outside.
But now I want to make the Juniper SA accesible from the outside network, so I figured NAT port translation can do this, because obviously TCP port 443 is used by the ASA SSL VPN.
So I created this ACL:
object network Juniper.SA
host 10.10.10.224
access-list outside_access_in extended permit tcp any object Juniper.SA eq https log debugging
And this matching NAT rule:
object network Juniper.SA
nat (inside,outside) static interface service tcp https 4443
And this is the NAT table:
TCP PAT from inside:10.10.10.224 443-443 to outside:100.100.100.1 4443-4443
So now when I try to connect to the Juniper SA with a browser on the outside network (https://100.100.100.1:4443) at first I get a certificate warning from the self signed certificate in the Juniper SA, and when I click OK I get this weird message:
https://100.100.100.1/+CSCOE+/message.html?mc=2
08-19-2014 02:01 PM
If you get to the juniper in first place, then the ASA has no knowledge what is happening inside the HTTPS-session. If you land later on the ASA, then it's very likely that the Juniper has sent a redirect to the browser or you are just following a link that has the port TCP/443 in it. Possible ways to solve that:
08-21-2014 11:14 AM
Hi Karsten. Thanks for the reply.
Not all the options are feasable or wanted, because:
1) Because it's a lab on a ADSL only 1 public IP address is allowed by the provider
2) I tested option 2 and it worked!, but It's not really what I want, because Anyconnect is used to provide access to the lab, and we want this to be the standard solution. We only want to test the Juniper SA. So I restored the original situation.
3)Change the port on the Juniper.... right, you think it's easy and a quick solution, but unfortunately I don't think it's possible. http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841
Other users on this Juniper forum experienced the same issue, but not a real solution so far.... hmm I think we can better hang on to Cisco :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide