Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
4
Replies

NAT on Full Tunnel SSL VPN

Mitesh Manwatkar
Level 1
Level 1

‎12-29-2014 10:33 PM - edited ‎03-05-2019 12:28 AM

Hi,

I will be setting up Full Tunnel SSL VPN using my asa 5520 as a vpn server.

After reading documents I know that NAT must b disabled on ASA for the pool addresses.

Can anyone explain te exact logic behind this.

Regards.

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎12-30-2014 01:02 AM

You probably have a NAT between your inside and outside interface that matches you internal hosts when they want to go "anywhere". You VPN-pool is part of this "anywhere" and would get NATed when traffic flows from the internal network to the VPN-pool. For that you need a NAT-rule with a higher priority that matches on traffic from your internal network to you VPN-pool to make sure that this traffic doesn't get NATed.

0 Helpful

Mitesh Manwatkar
Level 1
Level 1
In response to Karsten Iwen

‎12-30-2014 07:07 AM

Hi,

Thanks.I have couple of queries.

I understood that Cisco Anyconnect will assign my laptop a private IP address from the VPN pool after successful authentication.But in reality I am connecting the VPN server through my local ISP from home.So how does it work actually?

Does SSL VPN encapsulate the private IP addresses when leaving the ASA and shows original public IP addresses in its packet the way it is done in IPSec Site to Site VPN.

Regards.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Mitesh Manwatkar

‎12-30-2014 07:42 AM

When using a full-tunnel-client, you are having two IP-header in your packet.

  1. The outer header
    This one is used to communicate between the VPN-endpoints. The destination-address is the VPN-server, the source-address is your VPN-client. If you are using the VPN from home, this could be a private address that gets PATted to a public IP by your Internet-router.
  2. The inner header
    This header is used for the end-to-end communication. The source address will be an address from your VPN-pool, the destination address is the (internal) server that you want to reach. The inner header and it's payload is cryptographically protected.

When you access an internal server through the VPN, the IP datagram is sent to the gateway with the help of the outer header. Thats all "the internet" sees. The ASA decrypts the packet and now "sees" the inner header with its payload and sends the packet to the internal server.

The server answers and an ip packet with the headers (SA=internal server, DA=Your VPN-Pool-address) is sent to the ASA. The ASA now needs to know that this packet is not allowed to be NATed, sees that the destination address belongs to a VPN, encrypts and encapsulates the packet (where the outer header is added) and sends it to the clients public IP address.

This way of using IP headers (inner and outer) is the same for SSL/TLS VPNs and IPSec VPNs

0 Helpful

Mitesh Manwatkar
Level 1
Level 1
In response to Karsten Iwen

‎12-31-2014 06:18 AM

Hi,

Thanx for taking your time and helping me out.

I was really confused about the process of SSL VPN and this has helped me a lot.

Just one question: Does it add any header before original IP header to encapsulate like esp in IPSec.

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card