Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
0
Helpful
10
Replies

SSL VPN through IPSec Tunnel

kajumblies15
Level 1
Level 1

‎10-01-2021 07:00 AM

I have a scenario where I need SSL VPN users to access resources sitting behind an IPSec Tunnel. The architecture is like this, there is an IPsec site to site tunnel between an ASA and a Juniper Firewall with a local webserver sitting on the local network of the juniper firewall. I have clientless SSL VPN users drop onto the ASA and are able to access the local resource on the ASA inside network. However I am unsure on how to get the clientless SSL VPN traffic to push to the IPsec Tunnel to access the webserver behind the Juniper Firewall. 

 

Here are the IPs of the above scenario for reference:

 

IPSec site to site 

ASA outside interface - 192.168.1.100 

Juniper Outside interface 192.168.1.240

Juniper inside network - 10.10.10.0/24

ASA local Network - 192.168.60.0/24

 

Is someone able to explain how to accomplish this

 

Thanks so much!

0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎10-01-2021 07:14 AM

@kajumblies15 

Allow the ASA to hairpin the traffic and send back out the outside interface, add the command same-security-traffic permit intra-interface

 

You'll also need to amend the crypto map ACL between the ASA and the Juniper to include the RAVPN network.

You'll also need a NAT exemption rule to ensure traffic between the RAVPN users and the Juniper's local network

 

or alternatively you could NAT the traffic from one of the IP addresses defined in the crypto map already, this way you won't need to change the crypto ACL nor the existing NAT exemption rule. It's not as elegant as the first solution above. You'll still need to configure hairpinning using the command above.

0 Helpful

kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎10-01-2021 07:30 AM

@Rob Ingram 

Thanks so much for the reply. I have the same-security-traffic permit intra-interface enabled. Since I am trying to push clientless SSL traffic doesn't the ASA source that from the outside interface in this case 192.168.1.100. It appears that the clientless SSL users all come in with the outside IP of the ASA. How do I NAT or adjust the crypto ACL to make that work? The client based RA VPN users I have configured work perfectly with no issues but they have a pool of IPs that I was able to NAT which I am not able to do with the clientless SSL VPN users. 

 

Thank You!

0 Helpful

Rob Ingram
VIP
VIP
In response to kajumblies15

‎10-01-2021 07:44 AM

@kajumblies15 ok i missed you said clientless, in which case the traffic will be sourced from the ASA's interface. You will need to amend the crypto map to include that IP address.

0 Helpful

kajumblies15
Level 1
Level 1

‎10-01-2021 07:50 AM

 

@Rob Ingram 

When You say amend the cryptomap to include that IP are you stating that I need to add the 192.168.1.100. Here is what I currently have for my cryptomap output on the ASA. 

 

access-list Outside_cryptomap extended permit ip host 192.168.1.100 10.10.10.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.60.0 255.255.255.0 10.10.10.0 255.255.255.0

Does that look accurate?

 

Thank You

0 Helpful

Rob Ingram
VIP
VIP
In response to kajumblies15

‎10-01-2021 08:07 AM - edited ‎10-01-2021 08:09 AM

@kajumblies15 if the outside IP address is 192.168.1.100, is the outbound traffic being natted by a device in front of the ASA? Just create a NAT exemption rule, hide the original traffic behind one the IP addresses defined in the crypto ACL from the range 192.168.60.0/24. Example:-

 

nat (OUTSIDE,OUTSIDE) source static ORIGINAL-SRC TRANSLATED-SRC destination static REMOTE REMOTE no-proxy-arp

 

0 Helpful

kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎10-01-2021 08:20 AM

@Rob Ingram 

In my lab  my "Internet" is essentially the 192.168.1.x network. So there is no NAT that happens in front of the ASA. How would I create a NAT exemption rule for this scenario? If needed I can provide the config

 

Thanks so much!

0 Helpful

Rob Ingram
VIP
VIP
In response to kajumblies15

‎10-01-2021 08:28 AM

@kajumblies15 use the example I provided above.

 

Your original source is the host 192.168.1.100, the translated source is an IP address within the 192.168.60.0/24 network, as it's define in the crypto ACL already? and the remote object represents the Junipers 10.10.10.0/24 network.

0 Helpful

kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎10-01-2021 08:53 AM

@Rob Ingram 

That was my bad I missed the code you added above. OK so created the rule 

nat (Outside,Outside) source static ASA_Out SSL_Translated destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp

Here is what happens. I dont see any translations occur on that rule when I run "show nat detail" and from the clientless SSL VPN in my browser I am not able to get to the webserver that's on the 10.10.10.x network. I wanted to also add in case this helps that I am getting on the VPN from the same subnet meaning the IP that my client has is 192.168.1.78. Does that make a difference?

 

here is the "show nat detail"

 

Manual NAT Policies (Section 1)
1 (Outside) to (Outside) source static ASA_Out SSL_Translated  destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.1.100/32, Translated: 192.168.60.210/32
    Destination - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24

 

Thank You!

0 Helpful

Rob Ingram
VIP
VIP
In response to kajumblies15

‎10-01-2021 09:02 AM

@kajumblies15 Assuming you were connected to the Clientless VPN then traffic should still be sourced from the ASA ip. Nothing is hitting that NAT rule, take packet captures to confirm if communication is even attempted, run packet-tracer to simulate the traffic flow.

0 Helpful

kajumblies15
Level 1
Level 1
In response to Rob Ingram

‎10-01-2021 09:18 AM

@Rob Ingram 

Packet tracer output: 

CBR-NGFW# packet-tracer input Outside icmp 192.168.1.100 8 0 10.10.10.20 detai$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f9c7c652740, priority=1, domain=permit, deny=false
        hits=4717588, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Outside,Outside) source static ASA_Out SSL_Translated destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.10.10.20/0 to 10.10.10.20/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f9c7c6636f0, priority=501, domain=permit, deny=true
        hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.1.100, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=Outside, output_ifc=any

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful
Customers Also Viewed These Support Documents