Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL vpn

When I'm connected to my ASA 7 with the VPN client and change a Windows route, I get this message:

SSL VPN connection was terminated due to an IP forwarding table modification and could not be automatically re-established.

Can I change this behavior? I'm the administrator of the ASA firewall

Thank you

4 REPLIES
Silver

Re: SSL vpn

In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/web_vpn.html#wp1059082

New Member

Re: SSL vpn

If you are trying to modify the routing table on the SSL VPN client host, this is normal behaviour. The SSL VPN client sets up routes based on the ASA's VPN configuration (split-tunneling).

Modifying the routes on the client host could be an attempt to subvert the security of the connection, so the client will monitor the route table, and, as you have noticed, disconnect you if it is modified.

If you require different routes on the client host your best option is to configure the split-tunneling to only include the routes of the protected network. Of course, this has other security implications.

New Member

Re: SSL vpn

Basically this is a lab environment hence I need to add other routes to reach local hosts (not necessarily over the vpn tunnel. The SSL VPN client detects these changes and disconnects me. I wish there was an option on the ASA which could allow this. Even though it can be used to subvert, access lists can be used to protect against this. Also, NAT rules may already disallow this

New Member

Re: SSL vpn

Well, you could try setting up the split-tunneling for your testing.

In ASDM go to Remote Access VPN > Network (Client) Access > Group Policies, and open your policy. In the policy go to Advanced > Split Tunneling > Policy (the second item on that page) and you can choose from 'Tunnel All Networks', 'Tunnel Networks Listed Below' or 'Exclude Networks Listed Below'. Then for the Network List you will assign an ACL that contains the networks you want to tunnel or exclude.

But, you cannot change them on-the-fly on the SSL VPN client host.

488
Views
6
Helpful
4
Replies