Reaching sites across a tunnel via WebVPN on ASA

benrad · ‎05-25-2011

I was able to get this to work on my VPN 3000, but after installing the new ASA last night, I am unable to do the following:

User logs into WebVPN and attempst to access our CMS over a tunnel that is up on our ASA. All the appropriate acls are present and you are able to access the CMS fine when you're on our LAN. It also works if you connect to the VPN through the Cisco client. I'm trying to figure out what I have wrong with the WebVPN config and why it's not allowing me to get to the tunnel. The DefaultWebVPNGroup is using the same group policy as the client.

Any thoughts?

Thanks.

Nicolas Fournier · ‎05-28-2011

Hi,

Are you talking about clientless WebVPN?

If so, you need to include the ASA outside IP address to the crypto ACL of your VPN.

This is due tot he fact that when you use clientless WebVPN, the ASA will request the CMS page with it's own IP so it won't be tunneled if it is not part of the crypto ACL.

If you are talking about Anyconnect access, I see two possible problems:

1.) "same-security-traffic permit intra-interface" not configured.

This would be needed for the traffic to bounce from the outside interface to the VPN originated on the same interface. If you are able to access your CMS with the VPN client, I guess this is configured since you would also need it.

2.) Anyconnect VPN pool not NAT exempted or not tunneled

Did you setup nat exemption for the pool bound to the Anyconnect clients? If so, is this pool also part of the crypto ACL of your VPN?

Hope this helps.

Regards,

Nicolas