12-29-2014 10:33 PM - edited 03-05-2019 12:28 AM
Hi,
I will be setting up Full Tunnel SSL VPN using my asa 5520 as a vpn server.
After reading documents I know that NAT must b disabled on ASA for the pool addresses.
Can anyone explain te exact logic behind this.
Regards.
12-30-2014 01:02 AM
You probably have a NAT between your inside and outside interface that matches you internal hosts when they want to go "anywhere". You VPN-pool is part of this "anywhere" and would get NATed when traffic flows from the internal network to the VPN-pool. For that you need a NAT-rule with a higher priority that matches on traffic from your internal network to you VPN-pool to make sure that this traffic doesn't get NATed.
12-30-2014 07:07 AM
Hi,
Thanks.I have couple of queries.
I understood that Cisco Anyconnect will assign my laptop a private IP address from the VPN pool after successful authentication.But in reality I am connecting the VPN server through my local ISP from home.So how does it work actually?
Does SSL VPN encapsulate the private IP addresses when leaving the ASA and shows original public IP addresses in its packet the way it is done in IPSec Site to Site VPN.
Regards.
12-30-2014 07:42 AM
When using a full-tunnel-client, you are having two IP-header in your packet.
When you access an internal server through the VPN, the IP datagram is sent to the gateway with the help of the outer header. Thats all "the internet" sees. The ASA decrypts the packet and now "sees" the inner header with its payload and sends the packet to the internal server.
The server answers and an ip packet with the headers (SA=internal server, DA=Your VPN-Pool-address) is sent to the ASA. The ASA now needs to know that this packet is not allowed to be NATed, sees that the destination address belongs to a VPN, encrypts and encapsulates the packet (where the outer header is added) and sends it to the clients public IP address.
This way of using IP headers (inner and outer) is the same for SSL/TLS VPNs and IPSec VPNs
12-31-2014 06:18 AM
Hi,
Thanx for taking your time and helping me out.
I was really confused about the process of SSL VPN and this has helped me a lot.
Just one question: Does it add any header before original IP header to encapsulate like esp in IPSec.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide