Hi there,

I'm trying to make all my traffic from SSL VPN clients flow through an Inline Traffic probe. From what I can see, I should use the VLAN mapping feature. But I can't figure out how the feature works. The documentation from ASA not very informative or extensive.

Currently my ASA has a Interconnect network on a VLAN to my Core router, and all my internal networks are routed to the Core IP address. My Core router's default gateway is the ASA. My ASA provides the IP addresses to the remote SSL VPN clients, and is the default router for them. Remote Traffic flows from the remote client to the ASA, then through the interconnect, to my internal networks. My single ASA is working as both my Edge firewall and the SSL VPN concentrator.

I undestand VLAN mapping will make all the traffic from remote clients to egress on a particular VLAN. So, I have created a new VLAN and added that to a trunk on the ASA. Then, I enabled the "Restrict Access to VLAN" and set it to my VLAN. My Inline Traffic probe is connected to the VLAN and can provide DHCP.

If this was a regular network, I would make the Inline Traffic probe the default gateway for that VLAN, and provide the IP and Gateway addresses with it's DHCP server. But how does it work with ASA? I can captive the egress to that VLAN, but can't figure out how to make the traffic pass through the monitor. As ASA does not support source-based routing I can't make the traffic next-hop to the Probe.

I can make the Probe bridge (L2) the interconnect network and the remote client VLAN. But the IP address of the ASA on the VLAN is not within the same range as the interconnect, so I can't understand if and how this would work.

Can someone help me with the configuration or explaing me better how VLAN mapping works?

Thanks.