Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN Mapping and Inline Probe

Hi there,

I'm trying to make all my traffic from SSL VPN clients flow through an Inline Traffic probe. From what I can see, I should use the VLAN mapping feature. But I can't figure out how the feature works. The documentation from ASA not very informative or extensive.

Currently my ASA has a Interconnect network on a VLAN to my Core router, and all my internal networks are routed to the Core IP address. My Core router's default gateway is the ASA. My ASA provides the IP addresses to the remote SSL VPN clients, and is the default router for them. Remote Traffic flows from the remote client to the ASA, then through the interconnect, to my internal networks. My single ASA is working as both my Edge firewall and the SSL VPN concentrator.

I undestand VLAN mapping will make all the traffic from remote clients to egress on a particular VLAN. So, I have created a new VLAN and added that to a trunk on the ASA. Then, I enabled the "Restrict Access to VLAN" and set it to my VLAN. My Inline Traffic probe is connected to the VLAN and can provide DHCP.

If this was a regular network, I would make the Inline Traffic probe the default gateway for that VLAN, and provide the IP and Gateway addresses with it's DHCP server. But how does it work with ASA? I can captive the egress to that VLAN, but can't figure out how to make the traffic pass through the monitor. As ASA does not support source-based routing I can't make the traffic next-hop to the Probe.

I can make the Probe bridge (L2) the interconnect network and the remote client VLAN. But the IP address of the ASA on the VLAN is not within the same range as the interconnect, so I can't understand if and how this would work.

Can someone help me with the configuration or explaing me better how VLAN mapping works?

Thanks.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

VLAN Mapping and Inline Probe

What you are trying to achieve is configurable via the "tunneled" default route, and it would force all traffic from VPN through to this particular default route.

eg:

If your Inline traffic probe is between the ASA inside interface and your CORE, then you can configure:

route inside 0.0.0.0 0.0.0.0 tunneled

That would force all VPN traffic to route to CORE-IP which would go through your inline traffic probe

Here is the command reference for your info:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/qr.html#wp1840612

Hope that helps.

2 REPLIES
Cisco Employee

VLAN Mapping and Inline Probe

What you are trying to achieve is configurable via the "tunneled" default route, and it would force all traffic from VPN through to this particular default route.

eg:

If your Inline traffic probe is between the ASA inside interface and your CORE, then you can configure:

route inside 0.0.0.0 0.0.0.0 tunneled

That would force all VPN traffic to route to CORE-IP which would go through your inline traffic probe

Here is the command reference for your info:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/qr.html#wp1840612

Hope that helps.

New Member

VLAN Mapping and Inline Probe

That's exactly what I want.

Thank you.

711
Views
0
Helpful
2
Replies
CreatePlease login to create content