09-27-2012 02:55 AM
Hi,
We have an ASA5510 with AnyConnect SSLVPN set up, which works great from remote locations. However, when I am inside the network, I cannot connect to this SSLVPN. I would like to be able to this for testing purposes; I have a VLAN10 that has ACLs so it cannot reach any private IP addresses, we use this VLAN for our guest Wifi network. I would like to be able to make AnyConnect SSLVPN connections from this VLAN, to test the VPN access without having to be at a remote site. However, since I don't want to change any settings compared to my remote site, I don't want to just bind the sslvpn to both outside and VLAN10 (by issuing the enable VLAN10 statement).
This is the packet-tracer output:
asa01# packet-tracer input VLAN10 tcp 10.0.0.97 45754 93.X.X.X https
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 93.X.X.X 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: VLAN10
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
How can I configure this?
Regards,
Ruud van Strijp
09-27-2012 05:29 AM
To make that work you have to enable the SSLVPN on the VLAN10 (which you have done), but you also have to access the ASA on the VLAN10-interface. My preferred way to achieve that is to have a DNS-server for the guest-network, which resolves the FQDN vpn.company.com to the IP-adress of the ASA-interface in the guest-network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-27-2012 11:36 PM
Hi Karsten,
Thank you for your reply. Is there any other solution? Since our VLAN10 is for public clients, I am using the Google 8.8.8.8 DNS server instead of our AD DNS server. If I refer them to my AD DNS server, people can see our internal hostnames, which is less secure. And I don't want to make a server just for DNS in this VLAN, that sounds a bit of a resource waste.
Regards,
Ruud van Strijp
09-27-2012 11:50 PM
I also wouldn't like to expose my AD-DNS for that. But if you don't want to install an additional Server for that (I usually use a small atom-pc for stuff like that if I don't have a VM-host for DMZ-services) you can use the DNS-inspection in the ASA to control what the guest-users can query and what not. (I still don't like that solution).
As a last option you can still access the VPN with the VLAN10-IP instead of the FQDN.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide