04-17-2014 05:58 PM
Hi Everyone,
I was testing clientless ssl at my home lab.
While connected via clientless vpn i am able to ssh ASA outside interface but when i use ssl vpn only i can not ssh to outside interface of ASA.
Need to understand how i am able to ssh to outside interface of ASA using clientless ssl vpn?
Regards
MAhesh
Solved! Go to Solution.
04-17-2014 07:03 PM
Mahesh,
When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.
A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.
04-18-2014 06:55 AM
It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.
When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems
04-17-2014 07:03 PM
Mahesh,
When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.
A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.
04-18-2014 06:01 AM
Hi Marvin,
When using clientless VPN when we use plugins to access server or PC via RDP,ssh does it mean then no NAT is involved?
or we can say when we use clientless VPN then no NAtting is involved at all?
Does it mean that when i am connected to ASA via SSL VPN i can still ssh to outside interface of ASA
while using full tunnel?
Here is nat config from ASA
ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup description Site_To_Site_VPN NAT
nat (inside,outside) source static inside inside destination static inside inside
nat (sales,outside) source static sales sales destination static sales sales
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
Best regards
MAhesh
04-18-2014 06:55 AM
It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.
When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems
04-18-2014 06:55 AM
Many thanks Marvin.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide