Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL vpn back through the same internet conenction to another site

Hi, I have a network with a  Juniper SSL box, which connect to ASA5510 DMZ port, wher outside of the ASA is same as the outside of the SSL vpn box.

Accessing the internal network hav eno issues at all.

Now I need remote users SSL VPN to Juniper box and internaly conenct o my remote sites, which take the client connection via internet router again(throug Cisco site-to-site IPSec vpn) to th eremote site.

Can this be done, my gut feeling is "yes can be done"

Currently I am get tting no where, I dont get any ASA DMZ ACL hits if I try to access remote site resources from SSL vpn client.

DIagram attached

Any help would be appreciated

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: SSL vpn back through the same internet conenction to another

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

Super Bronze

Re: SSL vpn back through the same internet conenction to another

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

4 REPLIES
Super Bronze

Re: SSL vpn back through the same internet conenction to another

Shouldn't be a problem.

On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.

You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.

Hope that helps.

New Member

Re: SSL vpn back through the same internet conenction to another

Thanks Halijenn, That is exactly what I did, but, without NAT exemption. My site to site IPSec tunnel is between two routers, so do I need to exempt NAting for SSL pool in the ASA

Regards

Super Bronze

Re: SSL vpn back through the same internet conenction to another

Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.

New Member

Re: SSL vpn back through the same internet conenction to another

HI, Thanks, in may case it was a wrong static staement causing the problem,

appreciate your support on this issue, thanksagain

739
Views
0
Helpful
4
Replies