ASA Clientless SSL VPN Portal and DNS issues

jer0nim0x · ‎09-01-2011

Hello,

does anyone know how to bypass the Cisco ASA portal page (clientless SSL VPN), so I can access some internal machine directly from outside using a certain group policy? (or otherwise, be creative)

I'm asking because the internal machine uses HTTP/1.1 name-based vhosts that I wish to transparently access from the outside, yet use ASA's authentication mechanisms before getting there. Using the "homepage" setting doesn't seem to pass the HTTP/1.1 Host header.

Yes, I could use an unused external IP and NAT it to the inside host, but lose the ASA's authentication features I guess.

Also, I found that I am unable to use special DNS servers for Clientless SSL VPN connections. I tried all of the following, to no avail, it still uses the default servers.

dns server-group DMZ-DNS

name-server 192.168.1.3

group-policy GrpPolicy attributes

dns-server value 192.168.1.3

tunnel-group TGroup webvpn-attributes

authentication certificate

dns-group DMZ-DNS

Software version is ASA 8.2(5) and we can't change that for now.

Thanks.

jer0nim0x · ‎09-06-2011

Ok we've now set up a DNS server in the DMZ-LAN in order to resolve addresses in the DMZ separately from the internal LAN.

Like that, we have to use the portal, but we can transparently use different hosts, even with HTTP/1.1.

What was also very important was to specify the DMZ-LAN interface for DNS lookups: "dns domain-lookup DMZ-LAN"

What I didn't exactly understand are the DNS lookups. There can be one dns-group statement per tunnel group.

It also seems the DNS cache of the ASA (Monitoring -> Properties -> DNS Cache) can keep several IPs per host.

I hope the mapping between the tunnel group works in case several users belonging to different tunnel groups are connected.

Also I didn't understand where the (additional?) "dns-server value" statement in the group policy fits in. What's the difference to the dns-group in the tunnel group?