Cisco Support Community
Community Member

WebVPN design issue


i've got a question concerning the WebVPN feature of the ASA 5520. In our setup there is an outside interface and an inside interface. WebVPN is enabled on the outside interface and clients can connect there via browser on the portal site of the ASA. Theres a bookmark on that portal site, that points to a internal web server. When looking the log files, the request of the client is like: Client -> ASA -> Web server. The ASA replaces the source IP of the client with the IP of the inside interface. The question now is: is it possible (maybe with NAT?) to tell the ASA to replace the source ip of the client with a specific ip adress (or pool of adresses)? Or does the ASA in the WebVPN scenario always replace the clients source ip with the inside interface ip adress?

Thanks in advance!


Community Member

Re: WebVPN design issue

In your webserver log, you will always see the ASA internal IP accessing the webserver (instead of the client).

This behaviour is by design.

What happens here is, when the WebVPN user click on the link, ASA itself will fetch the data from the webserver. The WebVPN client will never have a chance to know where is this server, nor the server know where is this 'real' client.

So if you are talking about traceability, you have to do this at both the webserver logs and the WebVPN logs. Ensure the time is in sync so that you can make the correct references.

CreatePlease to create content