Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
2
Replies

Clientless VPN network traffic question

sakatzidisgiwrgos
Level 1
Level 1

‎11-18-2023 04:44 AM

Hello Community.

I am exploring Clientless SSL VPN and i implemented smart tunnels and port forwarding.

I want to explore how those options work by understanding how the traffic flows from the client to the ASA.

I am looking for examples with the TCP/IP layer stack. How packets are encapsulated to the existing SSL tunnel or the way that packets are injected into the network stack probably at the application layer.

If anyone has an understanding about this, please feel free to help

Thanks in advance.

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2023 04:56 AM

Configuration guide you can refer below :

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

May be best is create a test setup and do wireshark and understand the packet output.

check this thread :

https://community.cisco.com/t5/vpn/tls-packet-decapsulation-question-anyconnect-ssl-vpn/td-p/4574446

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

M02@rt37
VIP
VIP

‎11-18-2023 05:46 AM

Hello @sakatzidisgiwrgos 

Clientless SSL VPN, including features like smart tunnels and port forwarding, operates at the application layer of the OSI model.

The client establishes an SSL connection with the ASA, typically over port 443. SSL is used to secure the communication channel, providing encryption and authentication.

The client authenticates itself to the ASA, usually through a web-based portal. ASA performs authentication and authorization checks to ensure the client has the necessary privileges.

After successful authentication, the client accesses the SSL VPN portal hosted by the ASA. Yhe portal provides a web-based interface with various resources and applications.

Smart tunnels allow specific applications to use a dedicated "smart" tunnel for enhanced functionality. This is achieved by creating a separate tunnel for selected applications, allowing them to bypass the SSL tunnel for direct communication.

Port forwarding allows the client to access specific applications on the internal network by mapping them to different ports on the ASA. ASA forwards traffic from specific ports to the corresponding applications on the internal network.

For SSL VPN traffic, data from the client's applications is encapsulated within SSL packets. These SSL packets are then transmitted securely over the SSL VPN tunnel between the client and the ASA.

Upon reaching the ASA, the SSL packets are decrypted, and the original application-layer data is extracted.

For smart tunnels, the ASA injects specific routes into the client's routing table, directing traffic for selected applications through the dedicated smart tunnel.

The client's applications interact directly with the designated smart tunnel or utilize port-forwarded connections as if they were directly connected to the internal network.

To sum up, clientless SSL VPN, smart tunnels, and port forwarding work together to provide secure remote access to specific applications without requiring a full VPN client installation. SSL tunnel ensures encryption and authentication, while smart tunnels and port forwarding enhance the user experience by allowing direct application access.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card