Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
3
Replies

Initiating a SSLVPN connection from the inside to the outside IP address

Kreuze Telecom
Level 1
Level 1

‎09-27-2012 02:55 AM

Hi,

We have an ASA5510 with AnyConnect SSLVPN set up, which works great from remote locations. However, when I am inside the network, I cannot connect to this SSLVPN. I would like to be able to this for testing purposes; I have a VLAN10 that has ACLs so it cannot reach any private IP addresses, we use this VLAN for our guest Wifi network. I would like to be able to make AnyConnect SSLVPN connections from this VLAN, to test the VPN access without having to be at a remote site. However, since I don't want to change any settings compared to my remote site, I don't want to just bind the sslvpn to both outside and VLAN10 (by issuing the enable VLAN10 statement).

This is the packet-tracer output:

asa01# packet-tracer input VLAN10 tcp 10.0.0.97 45754 93.X.X.X https

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   93.X.X.X     255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: VLAN10

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

How can I configure this?

Regards,

Ruud van Strijp

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎09-27-2012 05:29 AM

To make that work you have to enable the SSLVPN on the VLAN10 (which you have done), but you also have to access the ASA on the VLAN10-interface. My preferred way to achieve that is to have a DNS-server for the guest-network, which resolves the FQDN vpn.company.com to the IP-adress of the ASA-interface in the guest-network.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Ruud van Strijp
Level 1
Level 1
In response to Karsten Iwen

‎09-27-2012 11:36 PM

Hi Karsten,

Thank you for your reply. Is there any other solution? Since our VLAN10 is for public clients, I am using the Google 8.8.8.8 DNS server instead of our AD DNS server. If I refer them to my AD DNS server, people can see our internal hostnames, which is less secure. And I don't want to make a server just for DNS in this VLAN, that sounds a bit of a resource waste.

Regards,

Ruud van Strijp

0 Helpful

Karsten Iwen
VIP
VIP
In response to Ruud van Strijp

‎09-27-2012 11:50 PM

I also wouldn't like to expose my AD-DNS for that. But if you don't want to install an additional Server for that (I usually use a small atom-pc for stuff like that if I don't have a VM-host for DMZ-services) you can use the DNS-inspection in the ASA to control what the guest-users can query and what not. (I still don't like that solution).

As a last option you can still access the VPN with the VLAN10-IP instead of the FQDN.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents