Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA570 VPN Issue - Double Split Tunneling

Hi,

Our company uses an ISA570 as our perimeter security. We have enabled SSLVPN to provide access to network for our telecommuters. Our client has a Juniper SA6000 based VPN solution. Our personnel usually log into the Juniper VPN for their work.

Our telecommuters however face this problem while accessing the Juniper VPN while logged into our SSL VPN. We have disabled Split Tunneling on the ISA570 so all traffic from host PC exits to internet from our VPN Gateway. Now when we connect to client VPN the traffic should go through our VPN and then proceed to client VPN and exit from client gateway. However that is not happening. Even when connected client VPN the traffic exits from our VPN Gateway. For some reason the two encapsulations are being removed at our Gateway.

Host PC                        A Tunnel Start            B Tunnel Start                        A Tunnel End                  B Tunnel End                             Pub IP

P                                        (P)                                ((P))                                  (P)                                    P                                               P

Above is what we want, but below scenario is what we are getting, [ P is the packet, and () is each level of VPN encapsulation.

Host PC                        A Tunnel Start            B Tunnel Start                        A Tunnel End                  B Tunnel End                             Pub IP

P                                        (P)                                ((P))                                  P                      

Please advice on a possible resolution for this issue. Is it due to some SSL VPN configuration error at our ISA570 ?

Thanks

Everyone's tags (4)
4 REPLIES
New Member

ISA570 VPN Issue - Double Split Tunneling

Can you give us a topology? by what you have explained it seems like the juniper is connected to the isa on the lan side. if so you are saying that you use anyconnect to get to the local network of the isa and then use another vpn program to get to the juniper? if you could explain this a little more for me please.

New Member

ISA570 VPN Issue - Double Split Tunneling

Hi John,

I have tried to hand draw the scenario that we have.

This is the Expected Traffic path

Expected.jpg

And this is the Traffic path that we have currently

Current.jpg

I hope it is decipherable and makes sense?

New Member

ISA570 VPN Issue - Double Split Tunneling

ok so it looks like ssl vpn to the isa, then an ipsec tunnel between the isa and the juniper. If that is the case you need to create another ipsec policy between the isa and the juniper for the SSL vpn ip range so the ssl clients can traverse the tunnel. make sure you do a policy from the isa to the juniper on the isa, and a policy on the juniper back to the isa.

New Member

ISA570 VPN Issue - Double Split Tunneling

No John, the machine has two SSL VPN Connections, first one to ISA and second one to the Juniper. However it would be connected such that first SSL VPN tunnel to ISA is established and through that traffic path the computer establishes a second SSL VPN tunnel to the Juniper. A VPN Tunnel created through another VPN Tunnel. There is no VPN tunnel between ISA570 and Juniper, SSL or IPSec, just the regular internet connection.

851
Views
0
Helpful
4
Replies
CreatePlease login to create content