cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
0
Helpful
2
Replies

unexpected behavior with clientless ssl vpn and smart tunnels on ASA 5510

kailey.gauthier
Level 1
Level 1

Hi there, hope someone can help

I'm able to set up a smart tunnel for an application and everything works just fine there, however...

Without smart tunnels, a user has to navigate through the portal interface (because of how it wraps urls and basically acts as a proxy), This too is fine and good, and expected behavior. If a user doesn't enter a URL in the portal URL entry (just enters it in the normal address bar) it takes them outside of the clientless ssl vpn portal.

Now too the point, when a smart tunnel is started, URLs the user enters in the normal Address bar are not wrapped in the device's URL, yet they are still being passed through our network (and note, the smart tunnel application is not the browser, which happens to be IE). How do I know this? sites that would be blocked by a web filter are blocked with smart tunnels on, but not blocked with smart tunnels off.

I need to know if this is intended behavior or not, and just how and why this is happening?

Thanks in advance

1 Accepted Solution

Accepted Solutions

rahgovin
Level 4
Level 4

I believe this is how it works. If you refer this doc:

https://supportforums.cisco.com/docs/DOC-6172

Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.

Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.

Hope this helps.

View solution in original post

2 Replies 2

rahgovin
Level 4
Level 4

I believe this is how it works. If you refer this doc:

https://supportforums.cisco.com/docs/DOC-6172

Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.

Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.

Hope this helps.