IP NAT on the router on SSL - VPN appliance

Someone at - it allows to transmit 443/SSL on a SSL VPN Cisco 891 - K9 unit?

(I have never encountered this situation before as the router VPN terminated public face directly or we had several IPs public to assign the VPN device directly a public IP address).

With ' ip nat inside source static tcp 44.55.66.255 443 10.10.10.150 443 extensible "is supposed to pass the SSL request to the appliance SSL VPN to 10.10.10.150 to have VPN applications ended here.

But failed miserably body 891 - K9 created a virtual ARP entry for 10.10.10.150. So two MACs with the same IP address.

So 443 requests were sent to its interface. At the hearing of NAT, I can't ssh inside SSL - VPN, but by the time the statemet disappeared, I can ssh and warning dupliacte ARP goes.

* 1 Nov 19:22:46.871: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
* 1 Nov 19:23:18.083: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
* 1 Nov 19:23:48.295: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
RTR #sh clock
* 19:24:26.487 UTC Sunday, November 1, 2015
RTR #sh ip arp 10.10.10.150
Protocol of age (min) address Addr Type Interface equipment
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
RTR #sh ip arp 10.10.10.150
Protocol of age (min) address Addr Type Interface equipment
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
RTR #sh sh ip route 10.10.10.150

Cisco TAC to reproduce this problem at the moment to report dev.

Does anyone else have this problem or a workaround?

Thank you.

I may be misunderstanding but isn't your NAT statement backwards IE. If you want traffic to pass to 10.10.10.150 it shouldn't be-

' ip nat inside source static tcp 10.10.10.150 43 43 44.55.66.25x.

isn't the device for SSL connection on interface 'ip nat inside '?

Jon

Tags: Cisco Security

Similar Questions

  • client ipSec VPN and NAT on the router Cisco = FAIL

    I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

    ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

    Suggestions?

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    ISAKMP crypto client configuration group myclient

    key password!

    DNS 1.1.1.1

    Domain name

    pool myVPN

    ACL 111

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    market arriere-route

    !

    !
    list of card crypto clientmap client VPN - AAA authentication
    card crypto clientmap AAA - VPN isakmp authorization list
    client configuration address map clientmap crypto answer
    10 ipsec-isakmp crypto map clientmap Dynamics dynmap
    !

    interface Loopback0
    IP 10.88.0.1 255.255.255.0
    !
    interface GigabitEthernet0/0
    / / DESC it's external interface

    IP 192.168.168.5 255.255.255.0
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    media type rj45
    clientmap card crypto
    !
    interface GigabitEthernet0/1

    / / DESC it comes from inside interface
    10.0.1.10 IP address 255.255.255.0
    IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
    IP virtual-reassembly
    the route cache same-interface IP
    automatic duplex
    automatic speed
    media type rj45

    !

    IP local pool myVPN 10.88.0.2 10.88.0.10

    p route 0.0.0.0 0.0.0.0 192.168.168.1
    IP route 10.0.0.0 255.255.0.0 10.0.1.4
    !

    IP nat inside source list 1 interface GigabitEthernet0/0 overload
    !
    access-list 1 permit 10.0.0.0 0.0.255.255
    access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
    access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

    Hello

    I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

    For example, to do this kind of configuration, ACL and NAT

    Note access-list 100 NAT0 customer VPN

    access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

    Note access-list 100 default PAT for Internet traffic

    access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

    overload of IP nat inside source list 100 interface GigabitEthernet0/0


    EDIT:     seem to actually you could have more than 10 networks behind the router

    Then you could modify the ACL on this

    Note access-list 100 NAT0 customer VPN

    access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

    Note access-list 100 default PAT for Internet traffic

    access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

    Don't forget to mark the answers correct/replys and/or useful answers to rate

    -Jouni

  • Unable to connect to the site Web SSL VPN with firewall zone configured

    I recently updated my 2911 company and set up a firewall area.  This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans.  The only problem I can't solve is to learn site Web SSL VPN from outside.  I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I.  I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site.  I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it.  I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned).  I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly.  All thoughts are welcome.

    See the security box

    area to area

    Members of Interfaces:

    GigabitEthernet0/0.15

    GigabitEthernet0/0.30

    GigabitEthernet0/0.35

    GigabitEthernet0/0.45

    area outside zone

    Members of Interfaces:

    GigabitEthernet0/1

    sslvpn area area

    Members of Interfaces:

    Virtual-Template1

    SSLVPN-VIF0

    I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

    See the pair area security

    Name of the pair area SSLVPN - AUX-in

    Source-Zone sslvpn-area-zone of Destination in the area

    Service-SSLVPN-AUX-IN-POLICY

    Name of the pair area IN SSLVPN

    Source-Zone in the Destination zone sslvpn-zone

    service-policy IN SSLVPN-POLICY

    Name of the pair area SELF SSLVPN

    Source-Zone sslvpn-area free-zone Destination schedule

    Service-SELF-to-SSLVPN-POLICY

    Zone-pair name IN-> AUTO

    Source-Zone in the Destination zone auto

    Service-IN-to-SELF-POLICY policy

    Name of the pair IN-> IN box

    In the Destination area source-Zone in the area

    service-policy IN IN-POLICY

    Zone-pair name SELF-> OUT

    Source-Zone auto zone of Destination outside the area

    Service-SELF-AUX-OUT-POLICY

    Name of the pair OUT zone-> AUTO

    Source-Zone out-area Destination-area auto

    Service-OUT-to-SELF-POLICY

    Zone-pair name IN-> OUT

    Source-Zone in the Destination area outside zone

    service-strategy ALLOW-ALL

    The pair OUT zone name-> IN

    Source-out-zone-time zone time Zone of Destination in the area

    Service-OUT-to-IN-POLICY

    Name of the pair area SSLVPN-to-SELF

    Source-Zone-Zone of sslvpn-area auto

    Service-SSLVPN-FOR-SELF-POLICY

    I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

    The area of networks

    G0/0.15

    172.16.0.1 26

    G0/0.30

    172.16.0.65/26

    G0/0.35

    172.16.0.129/25

    G0/0.45

    172.18.0.1 28

    Pool of SSL VPN

    172.20.0.1 - 172.20.0.14

    Latest Version of IOS:

    Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

    Glad works now. Weird question, no doubt.

    I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

    Let us know if you have any other problems.

    Mike

  • Inside Source NAT from the remote host and VPN from Site to Site

    Hi all

    I was in charge of the construction of a vpn tunnel with a firewall PIX of our business partner company and ASA of the other company of the firewall.  Traffic will be A partner business users will access my company Citrix server.  I want to source-pat the user traffic partner company to PIX of my business within the interface to its entry in my LAN to access my company Citrix server.  The partner company will be PAT'ing their traffic from users to a single ip address - Let's say for discussion end is 65.99.100.101.  There is the site to site vpn configuration, and configure nat be performed to allow this traffic in accordance with the above provisions.

    I'm more concerned about the accuracy of the configuration of the domain encryption because NAT is involved in this whole upward.  My goal is to NAT (of the other company company a) ip address to a routable ip address in my company network.

    The fundamental question here is should I include the ip address of real source (65.99.100.101) of the company the user or IP natted (10.200.11.9) in the field of encryption.

    In other words should the encryption field looks like this

    OPTION A.

    permit ip host 10.200.11.103 65.99.100.101

    OR

    OPTION B

    permit ip host 10.200.11.103 10.200.11.9

    I'm inclined to think it should look like OPTION A.  Here's the part of MY complete SOCIETY of the VPN configuration.  I've also attached a diagram illustrating this topology.

    Thanks in advance,

    Adil

    CONFIG BELOW

    ------------------------------------------------

    #################################################

    Object-group Config:

    #################################################

    the COMPANY_A_NETWORK object-group network

    Description company network access my company A firm Citrix

    host of the object-Network 65.99.100.101

    the MYCOMPANY_CITRIX_FARM object-group network

    Description farm Citrix accessible Takata by Genpact

    host of the object-Network 10.200.11.103

    ################################################

    Config of encryption:

    ################################################

    crypto ISAKMP policy 20

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    ********************************

    CRYPTO MAP

    ********************************

    crypto Outside_map 561 card matches the address Outside_561_cryptomap

    card crypto Outside_map 561 set peer 55.5.245.21

    Outside_map 561 transform-set ESP-3DES-SHA crypto card game

    ********************************

    TUNNEL GROUP

    ********************************

    tunnel-group 55.5.245.21 type ipsec-l2l

    IPSec-attributes tunnel-group 55.5.245.21

    pre-shared-key * 55.5.245.21

    *******************************

    FIELD OF CRYPTO

    *******************************

    Outside_561_cryptomap list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

    ###########################################

    NAT'ing

    ###########################################

    Global (inside) 9 10.200.11.9

    NAT (9 genpact_source_nat list of outdoor outdoor access)

    genpact_source_nat list extended access permit ip host 65.99.100.101 all

    genpact_source_nat list extended access permit ip host 65.99.100.102 all

    ! For not natting ip address of the Citrix server

    Inside_nat0 list extended access permitted ip object-group MYCOMPANY_CITRIX_FARM-group of objects COMPANY_A_NETWORK

    You must include pre - nat ip 65.99.x.x in your crypto-card, like you did.

    For me, config you provided here looks good and meets your needs.

    One thing, I do not see here the nat rule real 0, but there is the ACL that NAT. probably, you just forgot this rule.

    65.99.100.101 #sthash.mQm0FIOM.dpuf

  • Phone to the Migration of SSL VPN proxy telephone

    We are working with a client who moves from UCM 7.x to 9.x and a proxy phone in place today. With the Proxy of phone is no longer supported in 9.x, they are forced to move to the SSL VPN for IP phones. The design doc indicates that phones need to be high on the internal network first download configs, certificates, etc. before going out on the field.

    Yes, there is no known workaround solution to configure remote users phones WITHOUT bringing within the network. For multinationals, this could prove to be a HUGE headache.

    jyoungta replied to another thread with this:

    "If you can get a copy of the new phone config file and put it on a tftp which is accessible via the internet, then you can just point the phone to the server tftp (alternate tftp server option).  He's going to go and grab the new config file. »

    It sounds good (Thanks Jay) but it looks easy... too easy. Is there a procedure that we follow documented, we can follow?

    (Forgive my lack of specific technical knowledge, I'm in management)

    -Sam

    Hello Sam:

    I was able to convert a phone of attorney to anyconnect vpn with a single deployment of standard certificate.  The phone had something to do with the CallManager via TFTP outside the network as part of the phone proxy configuration.

    I have configured the anyconnect VPN settings phone on the SAA.

    Pushed the ASA SSL certificate to the CallManager

    Configured the CallManager to the VPN phone settings appropriate.

    Apply the common on the phone phone settings and reset the phone.

    -Until ' at this point, you just follow the guide.  https://supportforums.Cisco.com/docs/doc-21469

    In the network settings on the phone, I changed the TFTP replacing (necessary for telephone proxy) public IP address to the private IP (required for anyconnect VPN).

    Delete the CTL under settings - configuring security - trusted list

    Reset the phone

    -At this moment, I saw the phone reboot, connect to the VPN and I could check the operation of the VPN on the phone and make a few prank calls.

  • Configuration of the router to allow VPN traffic through

    I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

    The network configuration is the following:

    Internet - Cisco 1721 - Cisco PIX 506th - LAN

    Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

    The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

    The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

    Cisco VPN clients receive an error indicating that the remote control is not responding.

    I have attached the router for reference, and any help would be greatly apreciated.

    Manual.

    Brian

    For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

    You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

    If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

    HTH

    Rick

  • Router Cisco SSL VPN Configuration

    Hello support.

    A question concerning this scenario.

    One of our clients has currently SSLVPN enabled for remote users and I was wondering if there is anyway to configure a remote Cisco router to connect via IPSEC at this endpoint SSLVPN? the idea is simply to set up the tunnel without requiring changes on my end of customers.

    Thanks in advance.

    Ivan Chacon

    Hello

    IPSEC and SSLVPN are 2 different configurations, there is no way to have a router configured for IPSec and connect to another without changing this end as well.  You can run IPSec and SSLVPN on the same router, however.

    There are a lot of IOS Lan to Lan configuration guides, or if you want the router to act as a client, are looking to make EZVPN.

    HTH

    -Jason

  • Weird behavior of the router 871 on VPN tunnel

    Hi, I have established a tunnel VPN site to site with a cisco 871 to a cisco 2800. This drug is right and work. So, what's the problem? Let's see:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    !

    map SDM_CMAP_1 6 ipsec-isakmp crypto

    Description Numintel

    defined by peer 213.192.208.242

    86400 seconds, life of security association set

    game of transformation-ESP-3DES-SHA

    match address 100

    !

    Archives

    The config log

    hidekeys

    !

    !

    !

    !

    !

    interface FastEthernet0

    !

    interface FastEthernet1

    !

    interface FastEthernet2

    !

    interface FastEthernet3

    !

    interface FastEthernet4

    IP 196.12.229.218 255.255.255.252

    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    map SDM_CMAP_1 crypto

    !

    interface Vlan1

    IP 192.169.15.100 255.255.255.0

    no ip redirection

    no ip proxy-arp

    IP nat inside

    IP virtual-reassembly

    !

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0 196.12.229.217

    !

    !

    no ip address of the http server

    no ip http secure server

    the IP nat inside source 1 list the interface FastEthernet4 overload

    !

    access-list 1 local observation

    access-list 1 permit 192.169.15.0 0.0.0.255

    access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

    The thing is that when I apply list local access, lo leave the 192.169.15.0 guests have access to the internet, I can't reach the other end of the tunnel. (Say ping at 192.168.3.35). When I disable local access list: access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel of any of the hosts to 192.169.15.0, but I don't have access to the internet. Can someone explain what is happening and how to fix? Thank you.

    Hello

    You have to do traffic IPsec NAT of derivation. Traffic IPsec must be denied in the access list. Use extended access list example:

    access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

    access-list 120 allow ip 192.169.15.0 0.0.0.255 any

    IP nat inside source interface FastEthernet4 list 120 overload

    HTH

    Sangaré

    Pls rate helpul messages

  • NAT on the router WRT120N.

    Hello

    I buyed a new router the WRT120N and it works well

    But I have a question I had this problem on my other router also but it was easy to stop this it is called NAT, I have problems with it on a game called Gunz.

    7700-7800 TCP and UDP ports.

    I already found the option turn off NAT, but then I have no more Internet if disable this I have to write anything, because he wants to STATIC ROUTING.

    I tried portforwarding wich only helped on my old router, but it does not help.

    Eny one tell me what I must write in the stuff of static route? I don't know enough about routers, but this?

    Thank you

    Niels

    I guess that the 168.192.1.104 in the port forwarding is a typo.

    The computer is configured for DHCP. You must ensure that you configure a DHCP reservation for the computer.

    Your router is connected directly to the internet. It has a public IP address. Good.

    Haven't you set up redirects to single port or port triggering?

    If this isn't the case, the transmission seems to be set up correctly.

    Do you run the firewall on the computer?

  • SSL vpn through the same internet connection to another site

    Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.

    To access issues eno hav network internal at all.

    Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.

    Is it possible, my hunch is Yes "can be done."

    Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.

    Schema attached

    Any help would be appreciated

    Shouldn't be a problem.

    On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.

    You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.

    Hope that helps.

  • Third-party SSL VPN ended the DMZ ASA

    Hi all

    Any help is appreciated. Is it possible:

    I have a DMZ set in ASA 5520, and worked well so far. The DMZ subnet is 192.168.10.0/24 and IP on the DMZ interface is 192.168.10.1. Now, I'm trying to add a third-party SSL VPN device (not Cisco). The device has an IP 192.168.10.101. The SSL VPN appliance will give IP addreess SSLVPN customers in the range of 192.168.20.x. After the connection is established, the client is indeed getting the IP addr 192.168.20.x. However, clients are unable to connect to the internal LAN. If I change the IP address range clients on the same subnet that the area demilitarized, everything works. My question is that, as customers SSLVPN are complete on the demilitarized zone and get a different subnet IP address, how can I / road map these addresses before they6 can access internal network inside the interface, or it can be done at all?

    All advice is appreciated.

    You just need to add the routes appropriate on the SAA for this pool. And also on any Layer 3 routing devices inside the ASA.

    Concerning

    Farrukh

  • VPN site to Site using the router and ASA

    Hello

    I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.

    Thank you

    Karl

    Dear Karl,

    Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.

    For the same thing, you can consult the document below.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    Kind regards

    Shijo.

  • Cisco IOS SSL VPN on mobile

    Hello

    I want to know can I use the Cisco IOS SSL VPN on the use of mobile client Anyconnect. If yes what is the prerequisite, is there any kind of additional license required.

    Thank you

    In the following article:

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-VPN-client...

    Q. is possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router?

    A. No. it is not possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that is running version 3,0000.1 or a later version. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the section security devices and software support to the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

    --

    Please do not forget to rate and choose a good answer

  • AnyConnect SSL VPN Split tunneling problem

    Hello

    We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources.  Is there a way to activate the split for all remote users VPN tunneling?  It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management.  I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.

    I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '.  Can I use?

    Thanks in advance.

    Hello

    According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.

    You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.

    Please find the link below: -.

    https://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg

    I hope it helps.

    Thank you

    Shilpa

  • URL via SSL VPn access

    Dear members

    Please see the diagram for an easy understanding of the issue.

    I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.

    customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is

    http://192.168.2.1:8204 / system/servlet/login

    ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.

    Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."

    I already tried with port forwarding, but that has not solved the problem.

    All entries from your side will be highly appreciated.

    Thank you

    Ahad

    Hi Ahad,

    When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?

    On the login page is a java applet?

    Now, there are several things to try:

    -do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?

    -You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.

    -as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.

    HTH

    Herbert

Maybe you are looking for