Hi,

I created a clientless vpn profile using asdm wizard. I used the existing group policy since I can access the site using it. please see attached picture. What other settings must be checked for the clientless ssl vpn to work like in cisco vpn client. Thank you for your help.

Hi Ms. Halim,

I have read your post:

https://supportforums.cisco.com/thread/2066799

I have the same issue. Can you elaborate further on your posted solution before. Your help is greatly appriciated.

I believe I already done this from the post I have followed @ http://www.petenetlive.com/KB/Article/0000040.htm

Thank you in advance...

********

Yes you can, and here is what you have to add apart from the standard "same-security-traffic permit intra-interface":

On the hub:

The crypto ACL towards the spoke needs to include the following:
access-list permit ip interface outside

On the spoke:
The crypto ACL towards the hub needs to include the following:
access-list permit ip host

You would also need to add NAT exemption access-list on the spoke:
access-list permit ip host

Clear the tunnel on both ends, and RDP to the spoke LAN via clientless SSL VPN should work.

Hope that helps.

********************

Are you trying to access the intranet site via Clientless SSL VPN, and the intranet site is actually via a site-to-site tunnel on othe remote end?

If yes, can you please share your config from both end to see if there is any missing configuration.

Yes Maam thats correct.   Can I send you our config via email?

I can share to you our config but the problem is with my counter part since I am not allowed to access their ASA.

Thank you.

Yes, you can PM me your config.

Also, have you confirmed that your counterpart ASA has been configured with the respective config to allow access from your ASA external IP?

Hi Maám,

Is this correct? I have to do step 1-3 & my counterpart must do Step 4-5?

Thank you...

Step 1: Add the Subnet of the Remote Site to the "Split Tunnel" for the remote VPN

Step 2: Turn On Hair Pinning

Step 3: Add the "Remote VPN Network" to the EXISTING site to site VPN on the Main Site.

(REMOTE)

Step 4: Add a NAT Exemption on the Remote Site ASA

Step 5: Add the Remote VPN Pool to the EXISTING Site to Site VPN Access List.

Hi Maam,

Sorry I'm very new to ASA. Can you elaborate more on :

Remote end:

Step 1: add NAT exemption: permit ip host

On their perspective they will add NAT exemption permit ip < is this the subnet I'm going to access meaning their subnet> host ?

Thank you Maam for your support.

Yes, you are correct.

Remote subnet would be your counterparts local subnet (ie: subnet you are going to access)

Hi Maam,

Thank you for verifying..