Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
4
Replies

clientless vpn and ssh to outside interface of ASA

Go to solution
mahesh18
Level 6
Level 6

‎04-17-2014 05:58 PM

 

Hi Everyone,

I was testing clientless ssl at my home lab.

While connected via clientless vpn  i am able to ssh ASA outside interface but when i use ssl vpn only i can not ssh to outside interface of ASA.

Need to understand how i am able to ssh to outside interface of ASA using clientless ssl vpn?

 

Regards

MAhesh

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-17-2014 07:03 PM

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-18-2014 06:55 AM

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-17-2014 07:03 PM

Mahesh,

When you are on clientless SSL VPN your client isn't restricted from Internet routes, isn't being NATted etc. If the ASA is set to allow ssh from outside, then the clientless SSL VPN user is not different from any other.

A full tunnel SSL VPN user might have any or all of those factors in play. Any one of them can cause the inability to access the ASA outside interface via ssh. I'd have to see the configuration to tell you which one (or more) is to blame.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-18-2014 06:01 AM

 

Hi Marvin,

 

When using clientless VPN when we use plugins to access server or PC via RDP,ssh does it mean then no NAT is involved?

or we can say when we use clientless VPN then no NAtting is involved at all?

Does it mean that when i am connected to ASA via SSL VPN i can still ssh to outside interface of ASA

while using full tunnel?

Here is nat config from ASA

ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel


nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup description Site_To_Site_VPN NAT


nat (inside,outside) source static inside inside destination static inside inside
nat (sales,outside) source static sales sales destination static sales sales
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN

Best regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-18-2014 06:55 AM

It would be correct to say clientless isn't using NAT with respect to your local machine (the one using the browser for clientless SSL VPN access). In that setup anything that is not launched from within the clientless session (browsing to internal URL, launching plugins etc.) is treated just like a local session originating from whatever network it resides on and using any services (Internet access, local network devices etc.) otherwise available.

When you use full tunnel VPN type (whether IPsec IKEv1 with old client, SSL VPN with AnyConnect or IPsec IKEv2 with AnyConnect, your client machine is getting an IP address assigned from the configured VPN pool (or DHCP server is so configured), routes (either 0.0.0.0 if split tunneling is not allowed or specified routes otherwise) and is also affected by NAT and/or NAT exemption rules on the firewall. All of those aspects affect the reachability of remote systems

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-18-2014 06:55 AM

 

Many thanks Marvin.

 

Regards

 

MAhesh

0 Helpful
Customers Also Viewed These Support Documents