cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


169
Views
0
Helpful
4
Replies
Beginner

SSL VPN to IPSEC traffic

Hi,

I have ASA 55xx that im using as vpn concentrator.

I have a need where one of SSL VPN clients needs to be able to go through IPSEC tunnel. Both configured on that same ASA both are functioning. I already have same-security-traffic permit intra-interface as part of my config.

 

So essentially IPSEC can get to internal resources and internal resources can get to remote resources through IPSEC, SSL VPN client can get to internal resources, but SSL VPN client cant get to resources over the IPSEC tunnel

4 REPLIES 4
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: SSL VPN to IPSEC traffic

Hi,
First guess would be that you possibly need a NAT exemption rule, to ensure the Remote Access VPN traffic is not natted over the IPSec Site-to-Site VPN tunnel.

Can you provide your configuration and the output of "show nat" please.
Beginner

Re: SSL VPN to IPSEC traffic

I added VPN client IP into existing object group and that did the trick. object-group is being used for nat and acls.

Is there a way for me to limit what SSL VPN access over IPSEC. I re-used internal resources object-group that gives access to the entire subnet

Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: SSL VPN to IPSEC traffic

You could configure the VPN Filter to restrict access.

 

Example here.

VIP Advocate

Re: SSL VPN to IPSEC traffic

First: If you have NAT statements on your firewall, you will need to configure a twice NAT / NAT exempt for the AnyConnect traffic to the remote subnet.  

Second: you need to add your AnyConnect subnet to the Site 2 Site VPN crypto ACL at both ends of the Site 2 Site VPN.

Third:  If you are using split tunneling in your AnyConnect you would need to add the remote site IP subnet to the split tunnel ACL.

--
Please remember to rate and select a correct answer