Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1266
Views
0
Helpful
4
Replies

Traffic from Clientless SSL to L2L Tunnel

Go to solution
timothy_stoffers
Level 1
Level 1

‎07-21-2011 04:27 PM - edited ‎02-21-2020 05:27 PM

We currently have a pair of ASA set up running as our Client VPN (Clientless, SSL, and IPSec) and our L2L concentrator. We are running into an issue where Clientless users are trying to access servers that are on the other side of one of the L2L tunnels. Users who are using a client have no issues (believe this because they are getting a internal IP address), but Clientless users can’t connect. What would the source IP be for the Clientless user? When I looked in the logs it seems to be using the ASA’s outside interface, but that doesn't make much sense to me.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Loren Kolnes
Cisco Employee
Cisco Employee

‎07-21-2011 04:39 PM

Hi Tim,

Since the ASA will proxy the clientless connection to the remote server it will route the packet sourcing from the appropriate interface. In this case the remote server is available via the outside interface. You would need to include the outside interface address in the crypto access-list used for the LAN to LAN VPN, this would need to be configured on both sides of the LAN to LAN tunnel.

Clientless ASA

access-list vpn permit ip interface outside remote-network

Remote L2L ASA

access-list vpn permit ip remote-network host outside-ip-address-clientless-asa

Let me know if you have any questions.

Thanks,

Loren

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Loren Kolnes
Cisco Employee
Cisco Employee

‎07-21-2011 04:39 PM

Hi Tim,

Since the ASA will proxy the clientless connection to the remote server it will route the packet sourcing from the appropriate interface. In this case the remote server is available via the outside interface. You would need to include the outside interface address in the crypto access-list used for the LAN to LAN VPN, this would need to be configured on both sides of the LAN to LAN tunnel.

Clientless ASA

access-list vpn permit ip interface outside remote-network

Remote L2L ASA

access-list vpn permit ip remote-network host outside-ip-address-clientless-asa

Let me know if you have any questions.

Thanks,

Loren

0 Helpful

Go to solution
timothy_stoffers
Level 1
Level 1
In response to Loren Kolnes

‎07-22-2011 11:30 AM

Loren,

Ok, but would there be any issues with the other side of the tunnel getting confused with the having to send traffic through the tunnel to the same IP that it is peering with?  Thanks.

Tim

0 Helpful

Go to solution
Loren Kolnes
Cisco Employee
Cisco Employee
In response to timothy_stoffers

‎07-22-2011 11:32 AM

Hi Tim,

There should be no problem as the encrypted traffic would be from the internal host/subnet to the public IP, the IPSec tunnel is built between the public ip addresses.

Thanks,

Loren

0 Helpful

Go to solution
timothy_stoffers
Level 1
Level 1
In response to Loren Kolnes

‎08-02-2011 01:21 PM

It works.  Just had a small issue with NATing on the remote side, but other than that it works. Thanks.

0 Helpful
Customers Also Viewed These Support Documents