Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

clientless vpn and ssh to outside interface of ASA

 

Hi Everyone,

I was testing clientless ssl at my home lab.

While connected via clientless vpn  i am able to ssh ASA outside interface but when i use ssl vpn only i can not ssh to outside interface of ASA.

Need to understand how i am able to ssh to outside interface of ASA using clientless ssl vpn?

 

Regards

MAhesh

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Mahesh,When you are on

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

Hall of Fame Super Silver

It would be correct to say

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

4 REPLIES
Hall of Fame Super Silver

Mahesh,When you are on

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

New Member

 Hi Marvin, When using

 

Hi Marvin,

 

When using clientless VPN when we use plugins to access server or PC via RDP,ssh does it mean then no NAT is involved?

or we can say when we use clientless VPN then no NAtting is involved at all?

Does it mean that when i am connected to ASA via SSL VPN i can still ssh to outside interface of ASA

while using full tunnel?

Here is nat config from ASA

ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel


nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup description Site_To_Site_VPN NAT


nat (inside,outside) source static inside inside destination static inside inside
nat (sales,outside) source static sales sales destination static sales sales
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN

Best regards

MAhesh

Hall of Fame Super Silver

It would be correct to say

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

New Member

 Many thanks Marvin. Regards

 

Many thanks Marvin.

 

Regards

 

MAhesh

105
Views
0
Helpful
4
Replies
CreatePlease to create content