Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

anyconnect ssl vpn and acl

 

 Hi Everyone,

I was testing few things at my home lab.

 

PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)

anyconnect ssl is working fine and i am also able to access internet.

I am using full tunnel

i have acl on outside interface of ASA

1Trueany  any ipDeny0Default []

 

 

i know that ACL is used for traffic passing via ASA.

I need to understand the traffic flow for access to internet via ssl vpn.?

 

Regards

MAhesh

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

As you say correctly, the

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

VIP Purple

The encrypted traffic enters

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

5 REPLIES
VIP Purple

As you say correctly, the

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

Community Member

 Hi Karsten, Thanks for great

 

Hi Karsten,

 

Thanks for great reply back so now i can say that internet is working as traffic hits the outside interface

of ASA and then goes to the internet?

I am just trying to understand where in ASA  my traffic hits.

hope make sense

 

Regards

MAhesh

VIP Purple

The encrypted traffic enters

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

Community Member

 MAny thanks Sir. Best

 

MAny thanks Sir.

 

Best Regards

MAhesh

VIP Purple

You're welcome, keep on

You're welcome, keep on learning and come back to the support-communities.

119
Views
0
Helpful
5
Replies
CreatePlease to create content