Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1518
Views
0
Helpful
17
Replies

ASA WEB VPN

shihabuddin_ebrahim
Level 1
Level 1

‎09-11-2018 05:17 AM - edited ‎02-21-2020 08:13 AM

Hi,

There is a web server hosted on internet nobody can access it from internet except allowed IPs.
so we can access it from our prem but not from internet.
we created sslvpn on Cisco ASA and added the URL of the web server as bookmark but it doesn't work.
we found that ASA the traffic to internet directly not through the Proxy,
how we can make ASA to send the traffic to this URL to the proxy?

Regards

0 Helpful
17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

‎09-11-2018 06:43 AM

As per my understading

 

when the user connect to your network using VPN they are not able to access the URL, which was access through your Local Lan but not on VPN.

 

if this case, is your LAN using Proxy settings, or WCCP to send traffic to proxy Server.

 

Explain how is your Lan access to this URL, flow model.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to balaji.bandi

‎09-11-2018 07:54 AM

Thank you for your response,



from local lan the traffic goes to ASA a policy based routing forwards http and https to the proxy.

but when the user clicks the bookmark the traffic goes directly to internet without passing the proxy.

i need to make it go to the proxy.


0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shihabuddin_ebrahim

‎09-11-2018 08:53 AM

but when the user clicks the bookmark the traffic goes directly to internet without passing the proxy.

 

This you mean VPN user ? in this case you need to use same policy to route to proxy. (for the IP range for the VPN Range).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to balaji.bandi

‎09-11-2018 11:05 AM

yes clientless ssl vpn user, there is no ip range because this is client less vpn , if i change same policy the remaining 9000 users well be affected i want to configure the bookmark only to go to the proxy, but how ?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shihabuddin_ebrahim

‎09-11-2018 12:46 PM

as suggested other post we need more details to assist further on this problem.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

gbekmezi-DD
Level 5
Level 5

‎09-11-2018 08:41 AM

You have more details? What is happening when you try? Is the link showing up in the webvpn portal? What error are you experiencing?

Thanks,

George
0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to gbekmezi-DD

‎09-11-2018 12:51 PM

@gbekmezi-DD wrote:
You have more details? What is happening when you try? Is the link showing up in the webvpn portal? What error are you experiencing?

Thanks,

George

yes the link showing in the portal,the traffic goes to internet but as the web server do not accept traffic except from our proxy ip the web page does not open, we need a way to make the traffic go to the proxy I wonder if there is a method to add the proxy IP to the group policy to make this particular bookmark to go to the proxy

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shihabuddin_ebrahim

‎09-11-2018 12:55 PM

Since you are redirecting the Traffic to proxy using PBR, you need to identify the VPN user IP block and route the same to proxy for that URL IP, so proxy will can allow your VPN users to access that URL.

 

If you think this is issue with your other users and Service impact.

 

for testing create a another vpn user group with new IP range, test it, if that works deploy same for all other users.

 

Make Sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to balaji.bandi

‎09-11-2018 12:58 PM

there is NO vpn user ip BECAUSE this is CLIENTLESS vpn

0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to balaji.bandi

‎09-11-2018 01:00 PM

there is NO VPN USER IP BECAUSE this is CLIENTLESS SSL VPN through portal
0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to balaji.bandi

‎09-11-2018 01:05 PM

yes make sense but there is a little problem there is NO IP RANGE and NO IP POOL BECAUSE THIS IS CLIENTLESS SSL VPN



0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shihabuddin_ebrahim

‎09-11-2018 01:38 PM

Can you post webvpn part of  configuration.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

gbekmezi-DD
Level 5
Level 5
In response to balaji.bandi

‎09-11-2018 02:02 PM

What kind of proxy are you using and what network equipment exists between the ASA and the web server? Can you use WCCP to redirect the traffic sourced from the ASA to the internal web server to your proxy?
0 Helpful

shihabuddin_ebrahim
Level 1
Level 1
In response to gbekmezi-DD

‎09-11-2018 09:01 PM

the traffic coming from the users to the ASA where there is policy based routing to forward http and https to bluecoat.


do you mean that it is possible to use wccp to forward the traffic of this bookmark to bluecoat and keep all remaining traffic as it is , is this possible ?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card