In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.
If you are trying to modify the routing table on the SSL VPN client host, this is normal behaviour. The SSL VPN client sets up routes based on the ASA's VPN configuration (split-tunneling).
Modifying the routes on the client host could be an attempt to subvert the security of the connection, so the client will monitor the route table, and, as you have noticed, disconnect you if it is modified.
If you require different routes on the client host your best option is to configure the split-tunneling to only include the routes of the protected network. Of course, this has other security implications.
Basically this is a lab environment hence I need to add other routes to reach local hosts (not necessarily over the vpn tunnel. The SSL VPN client detects these changes and disconnects me. I wish there was an option on the ASA which could allow this. Even though it can be used to subvert, access lists can be used to protect against this. Also, NAT rules may already disallow this
Well, you could try setting up the split-tunneling for your testing.
In ASDM go to Remote Access VPN > Network (Client) Access > Group Policies, and open your policy. In the policy go to Advanced > Split Tunneling > Policy (the second item on that page) and you can choose from 'Tunnel All Networks', 'Tunnel Networks Listed Below' or 'Exclude Networks Listed Below'. Then for the Network List you will assign an ACL that contains the networks you want to tunnel or exclude.
But, you cannot change them on-the-fly on the SSL VPN client host.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...