webvpn clients can't access resources behind a site-to-site vpn

simon.law · ‎07-01-2010

Hi,

I have two sites each having an ASA 5510 firewall. Anyconnect clients connected to one site can access resources in both sites. Webvpn clients connected to one site cannot access resources in another site. Is there something I have missed out?

Thanks,
Simon

Federico Coto Fajardo · ‎07-01-2010

Hi Simon,

When you refer to AnyConnect clients you refer to SSL VPN clients and webvpns to client-less SSL connections corrrect?

If this is so, do you have split-tunneling configured for both VPNs?

Are you using a separate group-policy for AnyConnect and webvpn? If this is so, you might have a different split-tunneling policy.

Is the pool of addresses the same for both connections?

Federico.

Jennifer Halim · ‎07-01-2010

Hi Simon,

Most probably the crypto ACL between the site-to-site tunnel does not include the following for the webvpn client to access resources behind the remote LAN:

- On the ASA where the webvpn is terminating, the site-to-site crypto ACL should include access-list to permit the outside interface ip address of the ASA towards the remote LAN subnets, and the mirror image ACL on the remote ASA.

This is because ASA is proxying the webvpn traffic and traffic from the ASA towards the network resources is sourced based on the routing. Since network resources behind the remote LAN will be routed towards the outside interface, the webvpn traffic is sourced from the outside interface.

- Secondly, the NAT exemption on the remote ASA should include ACL that permits remote LAN subnets towards the HQ ASA outside interface IP.

Hope that helps.

simon.law · ‎07-01-2010

Hi Halijenn,

Thanks very much for your help, it works. I forgot to include the outside ip in the remote crypto acl and nat exemption in the remote asa.

Thanks,

Simon

Jennifer Halim · ‎07-01-2010

Thanks, glad to hear it's working now.