Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
5
Replies

anyconnect ssl vpn and acl

Go to solution
mahesh18
Level 6
Level 6

‎05-03-2014 07:15 AM - edited ‎02-21-2020 07:37 PM

 

 Hi Everyone,

I was testing few things at my home lab.

 

PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)

anyconnect ssl is working fine and i am also able to access internet.

I am using full tunnel

i have acl on outside interface of ASA

1Trueany  any ipDeny0Default []

 

 

i know that ACL is used for traffic passing via ASA.

I need to understand the traffic flow for access to internet via ssl vpn.?

 

Regards

MAhesh

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-03-2014 07:50 AM

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎05-03-2014 08:29 AM

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎05-03-2014 07:50 AM

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎05-03-2014 07:57 AM

 

Hi Karsten,

 

Thanks for great reply back so now i can say that internet is working as traffic hits the outside interface

of ASA and then goes to the internet?

I am just trying to understand where in ASA  my traffic hits.

hope make sense

 

Regards

MAhesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎05-03-2014 08:29 AM

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎05-03-2014 08:32 AM

 

MAny thanks Sir.

 

Best Regards

MAhesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎05-03-2014 08:38 AM

You're welcome, keep on learning and come back to the support-communities.

0 Helpful
Customers Also Viewed These Support Documents