Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
0
Helpful
2
Replies

Clientless SSL VPN and ActiveX question

adamsre_cisco
Level 1
Level 1

‎09-30-2011 12:06 PM - edited ‎02-21-2020 05:38 PM

Hey All,

First post for me here, so be gentle.  I'll try to be as detailed as possible.

With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.

First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?

Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.

I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:

  match ip inside any outside any

    NAT exempt

    translate_hits = 8915, untranslate_hits = 6574

access-list nonat extended permit ip any any log notifications

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57

access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57

access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0

access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0

access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224

access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224

access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0

access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34

access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34

access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34

access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57

access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57

access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57

access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0

access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list outside_in extended permit icmp any any log notifications

access-list outside_in extended permit tcp any any log notifications

pager lines 24

logging enable

logging asdm informational

logging ftp-server 192.168.16.34 / syslog *****

mtu inside 1500

mtu outside 1500

ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.16.32 255.255.255.224

nat (inside) 1 192.168.17.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

192.168.2.0 is my corp network range

192.168.2.171 is my internal IP for corp ASA5510

97.x.x.x is the external interface for my corp ASA5510

192.168.16.34 is the internal interface for the remote ASA5505

64.x.x.x is the external interface for the remote ASA5505

192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505

As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.

I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?

Thanks much for any and all ideas!

Labels:
0 Helpful
2 Replies 2

adamsre_cisco
Level 1
Level 1

‎10-03-2011 01:06 PM

Any suggestions at all?- Am I headed down the wrong path for what I am trying to do here?  Thanks, in advance!

0 Helpful

adamsre_cisco
Level 1
Level 1
In response to adamsre_cisco

‎10-10-2011 05:26 PM

Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

0 Helpful
Customers Also Viewed These Support Documents