cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
941
Views
0
Helpful
5
Replies

anyconnect ssl vpn and acl

mahesh18
Level 6
Level 6

 

 Hi Everyone,

I was testing few things at my home lab.

 

PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)

anyconnect ssl is working fine and i am also able to access internet.

I am using full tunnel

i have acl on outside interface of ASA

1Trueany  any ipDeny0Default []

 

 

i know that ACL is used for traffic passing via ASA.

I need to understand the traffic flow for access to internet via ssl vpn.?

 

Regards

MAhesh

 

 

2 Accepted Solutions

Accepted Solutions

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

View solution in original post

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

View solution in original post

5 Replies 5

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.

You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

 

Hi Karsten,

 

Thanks for great reply back so now i can say that internet is working as traffic hits the outside interface

of ASA and then goes to the internet?

I am just trying to understand where in ASA  my traffic hits.

hope make sense

 

Regards

MAhesh

The encrypted traffic enters the ASA, gets decrypted and the ASA routes the traffic back to the internet, this time in cleartext. Because your packet has a private source address (from your VPN-pool) the source needs to be translated to a public address that is routable on the internet.

 

MAny thanks Sir.

 

Best Regards

MAhesh

You're welcome, keep on learning and come back to the support-communities.