Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL VPN routing issue?

jspanitz_
Frequent Contributor
‎08-02-2011 08:22:PM
‎08-02-2011 08:22:PM

SSL VPN routing issue?

Very strange SSL VPN issue.  Not sure it if's a bug or by design.

Cisco ASA has:



  • External DNS pointing webserver.company.com to NAT IP

  • Public ip of 1.1.1.1  <-webserver.company.com points here

  • NAT - Internal IP of 192.168.1.1


SSL VPN has:



  • Internal DNS pointing webserver.company.com to 192.168.1.1 (trying not to hairpin on the ASA)

  • A virtual port defined on the Network External Port with an IP of 192.168.1.1 <-the NAT IP the ASA is pointing to

  • A sign in policy defined for a virtual hostname for webserver.company.com pointing to a backend URL of https://webserver.company.local:443/*




Situation:

When a user is on the internet, FQDN works fine.

When a user is on internal network FQDN works fine.

When a user is on the VPN, no traffic passes to virtual hostname IP / FQDN.

Should this be possible for a Network Connected tunnel client to reach the Virtual Port /  Sign in Page?  if not, is there a way to make the web server work behind the SSL VPN when a user has a tunnel up (Network Connect) or do we need to move it out from behind the SSL VPN?

0 Kudos
3 REPLIES 3
dcvers_
Regular Contributor
‎11-16-2007 02:04:AM
‎11-16-2007 02:04:AM

Re: SSL VPN routing issue?

Unless I've misunderstood it sounds like you've given the VPN box that same IP address as your web server.

The NAT and external virtual port does not need resolve to the true internal IP. The virtual hostname configuration handles the transition to the internal server. The NAT just needs to direct your public IP to the VPN box.

0 Kudos
dcvers_
Regular Contributor
‎11-16-2007 08:09:AM
‎11-16-2007 08:09:AM

Re: SSL VPN routing issue?

If I understand correctly you effectively want to route from the internal interface or the VPN box back round to the external. Not sure if the VPN boxes will like this but if it does the issue could be on the interconnect between the internal network and the external DMZ. It could be a firewall intrusion prevention mechnism is dropping the traffic due to the unusual routing path even though you have rules in place to allow the traffic. We sometimes get this when VPN users are trying to connect to Site to Site VPN locations.

0 Kudos
jspanitz_
Frequent Contributor
‎08-02-2011 05:58:AM
‎08-02-2011 05:58:AM

Re: SSL VPN routing issue?

Yeah, I did not explain it well.  The VPN has the NAT IP / external FQDN that the Cisco is pointing to.  Then it points to the internal IP / FQDN of the web server.  What we are trying to accomplish is have internal clients hit the external FQDN which works, but when they are on aVPN tunnel it does not.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.