cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
4
Replies

SSL VPN to IPSEC traffic

toolshed1
Level 1
Level 1

Hi,

I have ASA 55xx that im using as vpn concentrator.

I have a need where one of SSL VPN clients needs to be able to go through IPSEC tunnel. Both configured on that same ASA both are functioning. I already have same-security-traffic permit intra-interface as part of my config.

 

So essentially IPSEC can get to internal resources and internal resources can get to remote resources through IPSEC, SSL VPN client can get to internal resources, but SSL VPN client cant get to resources over the IPSEC tunnel

4 Replies 4

Hi,
First guess would be that you possibly need a NAT exemption rule, to ensure the Remote Access VPN traffic is not natted over the IPSec Site-to-Site VPN tunnel.

Can you provide your configuration and the output of "show nat" please.

I added VPN client IP into existing object group and that did the trick. object-group is being used for nat and acls.

Is there a way for me to limit what SSL VPN access over IPSEC. I re-used internal resources object-group that gives access to the entire subnet

You could configure the VPN Filter to restrict access.

 

Example here.

First: If you have NAT statements on your firewall, you will need to configure a twice NAT / NAT exempt for the AnyConnect traffic to the remote subnet.  

Second: you need to add your AnyConnect subnet to the Site 2 Site VPN crypto ACL at both ends of the Site 2 Site VPN.

Third:  If you are using split tunneling in your AnyConnect you would need to add the remote site IP subnet to the split tunnel ACL.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: