topic Re: SSL and IPSEC to get to the remote site in Network Security

SSL and IPSEC to get to the remote site

network770 — Mon, 11 Mar 2019 20:08:45 GMT

We have the following situation...

We want to have the ability to SSL to the firewall (reason is we need a clientLESS solution that can be initiated from anywhere) and then be able to access a remote which is on the other side of the VPN tunnel. The catch is here...the remote VPN site will only accept the traffic if the source address is the 'interface' address of the firewall, here's a pic:

user@home --SSL--> firewall ---IPSEC VPN---> remote site

again, the remote site only allows access if the traffic is coming from the outside interface of the firewall.... so the whole point of the SSL is to security proxy the session from home via the firewall.

any thoughts?

Re: SSL and IPSEC to get to the remote site

Jennifer Halim — Fri, 18 Mar 2011 01:53:58 GMT

This would perfectly work to your favour, as that is the only option you have for clientless SSL vpn access towards the IPSec tunnel.

Clientless SSL VPN will proxy the connection using the closest interface where the traffic is supposed to be routed to, hence in your scenario:

I assume that both SSL VPN and IPSec VPN are terminated on the firewall outside interface, right? and since the clientless resources that you are planning to access is behind the remote VPN, then the clientless SSL VPN will proxy the connection from the ASA outside interface as the IPSec VPN is terminated on the ASA.

Hope that helps.