06-23-2012 03:37 AM
Hi there,
I'm trying to make all my traffic from SSL VPN clients flow through an Inline Traffic probe. From what I can see, I should use the VLAN mapping feature. But I can't figure out how the feature works. The documentation from ASA not very informative or extensive.
Currently my ASA has a Interconnect network on a VLAN to my Core router, and all my internal networks are routed to the Core IP address. My Core router's default gateway is the ASA. My ASA provides the IP addresses to the remote SSL VPN clients, and is the default router for them. Remote Traffic flows from the remote client to the ASA, then through the interconnect, to my internal networks. My single ASA is working as both my Edge firewall and the SSL VPN concentrator.
I undestand VLAN mapping will make all the traffic from remote clients to egress on a particular VLAN. So, I have created a new VLAN and added that to a trunk on the ASA. Then, I enabled the "Restrict Access to VLAN" and set it to my VLAN. My Inline Traffic probe is connected to the VLAN and can provide DHCP.
If this was a regular network, I would make the Inline Traffic probe the default gateway for that VLAN, and provide the IP and Gateway addresses with it's DHCP server. But how does it work with ASA? I can captive the egress to that VLAN, but can't figure out how to make the traffic pass through the monitor. As ASA does not support source-based routing I can't make the traffic next-hop to the Probe.
I can make the Probe bridge (L2) the interconnect network and the remote client VLAN. But the IP address of the ASA on the VLAN is not within the same range as the interconnect, so I can't understand if and how this would work.
Can someone help me with the configuration or explaing me better how VLAN mapping works?
Thanks.
Solved! Go to Solution.
06-23-2012 06:29 PM
What you are trying to achieve is configurable via the "tunneled" default route, and it would force all traffic from VPN through to this particular default route.
eg:
If your Inline traffic probe is between the ASA inside interface and your CORE, then you can configure:
route inside 0.0.0.0 0.0.0.0
That would force all VPN traffic to route to CORE-IP which would go through your inline traffic probe
Here is the command reference for your info:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/qr.html#wp1840612
Hope that helps.
06-23-2012 06:29 PM
What you are trying to achieve is configurable via the "tunneled" default route, and it would force all traffic from VPN through to this particular default route.
eg:
If your Inline traffic probe is between the ASA inside interface and your CORE, then you can configure:
route inside 0.0.0.0 0.0.0.0
That would force all VPN traffic to route to CORE-IP which would go through your inline traffic probe
Here is the command reference for your info:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/qr.html#wp1840612
Hope that helps.
06-24-2012 02:33 AM
That's exactly what I want.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide