08-08-2010 10:59 PM
Hi, I have a network with a Juniper SSL box, which connect to ASA5510 DMZ port, wher outside of the ASA is same as the outside of the SSL vpn box.
Accessing the internal network hav eno issues at all.
Now I need remote users SSL VPN to Juniper box and internaly conenct o my remote sites, which take the client connection via internet router again(throug Cisco site-to-site IPSec vpn) to th eremote site.
Can this be done, my gut feeling is "yes can be done"
Currently I am get tting no where, I dont get any ASA DMZ ACL hits if I try to access remote site resources from SSL vpn client.
DIagram attached
Any help would be appreciated
Solved! Go to Solution.
08-09-2010 03:26 AM
Shouldn't be a problem.
On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.
You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.
Hope that helps.
08-10-2010 05:03 AM
Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.
08-09-2010 03:26 AM
Shouldn't be a problem.
On the Juniper SSL, you would need to check if routes has been added for the remote IPSec LAN to point towards the ASA DMZ interface ip address instead of pointing out towards the internet via the Juniper SSL box.
You would need to configure NAT exemption on the ASA box between the SSL pool subnet towards the remote IPSec LAN. Further to that, you would also include the SSL subnet towards the remote LAN subnets in the crypto ACL, and mirror image ACL on the remote site crypto ACL.
Hope that helps.
08-09-2010 05:01 AM
Thanks Halijenn, That is exactly what I did, but, without NAT exemption. My site to site IPSec tunnel is between two routers, so do I need to exempt NAting for SSL pool in the ASA
Regards
08-10-2010 05:03 AM
Yes, in that case, if you are not doing any NATing, then you would need to configure NAT exemption on both the ASA and the router. Otherwise, the crypto ACL will not match which will not trigger the tunnel/SA to be created between the LAN-to-LAN IPSec tunnel.
08-10-2010 08:14 AM
HI, Thanks, in may case it was a wrong static staement causing the problem,
appreciate your support on this issue, thanksagain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide