WebVPN traffic accross an IPSEC tunnel

Unanswered Question
Aug 31st, 2007
User Badges:

I am managing two remote locations. One uses an ASA5505 and the other uses an 831 Router. The two sites are connected via an IPSEC VPN Tunnel. In addition I've configured the WebVPN on the ASA device so that I can use the application access and port forwarding to telnet to a device on the inside of the ASA network.

By typing "telnet 3044" into a command prompt I am able to telnet into a device on the inside of the ASA network while I'm connected via WebVPN. Now I'd like to do the same telnet to another device on the 831 router's network. I've added the additional port forwarding commands so that port 3045 is forwarded as port 23; same as I did for port 3044 to access the first device. The only difference is that now I'm trying to forward to a remote location over the IPSEC VPN. I added the WebVPN's ip pool as interesting traffic on both sides of the IPSEC tunnel and denied NAT for that ip range also. But I'm having trouble.

I'd appreciate any suggestions on how to get this to work. -- My suspicion is that the WebVPN Client is not getting an IP Address assigned from the configured pool of addresses the way a standard VPN Client or SSL Client would, but I still don't know how to get that WebVPN traffic to cross the tunnel.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pradeepde Thu, 09/06/2007 - 06:40
User Badges:
  • Bronze, 100 points or more

You should check if the routing between the vpn's is working fine or not. If you are connecting to ASA using WebVPN and your telnet access to device on the routers network is forwarded over the IPsec VPN which is between the ASA and the router, check if you are able to pass any other kind of traffic to the routers network. If both the Webvpn and IPsec are using the same interface on ASA you should configre the command "same-security-traffic permit intra-interface" on the ASA.

depadua_chris Thu, 09/06/2007 - 06:44
User Badges:

Other traffic does pass through the IPsec tunnel from one network to another, so the routes are working. Also, I've configured both "same-security-traffic permit intra-interface" and "same-security-traffic permit inter-interface".

Thanks for the suggestions!

Gerard Roy Wed, 10/17/2007 - 11:01
User Badges:

Did you ever get an answer to this that worked? I have the same situation. I need to get to the LAN of a spoke that has a tunnel to an ASA. I can pass traffic between the asa and the spoke LAN's but when I ire off anyconnect and connect to asa. I only get a route in my asa client to the lan of the asa. It nevers knows to route traffic to the lan of the spoke.

depadua_chris Wed, 10/17/2007 - 11:17
User Badges:

Sorry, I never got a reply that worked for me. I ended up having to use the VPN Client instead of the WebVPN.

You might try to use the SSLVPN; I didn't try that.

Arif . Tue, 04/27/2010 - 04:28
User Badges:


Has anyone had any joy with this issue?

I am having th esame problem, can access resources on the LAN of the ASA fine, however cannot access resources on the LAN of an IPSec connected site via the ASA. IS almost like a routing problem however i am using Web VPN so no IP Routing should be involved as no IP assignment takes place.

Any input would be appreciated.

Jennifer Halim Tue, 04/27/2010 - 04:44
User Badges:
  • Cisco Employee,

With webvpn across site-to-site vpn tunnel, you would need to make sure that the crypto ACL include the ASA outside ip address towards the remote LAN where the resources is.

Webvpn port redirection will be sourced from the ASA interface where the remote LAN is connected to, and since it's site-to-site, the webvpn port redirection will be sourced from the ASA outside interface.

Hope that helps.

Arif . Tue, 04/27/2010 - 05:35
User Badges:

Hi Halijenn,

I tested this on one of my tunnels and it worked a charm!

I will now test on the live tunnel and let you know how it goes.



Arif . Mon, 05/24/2010 - 14:16
User Badges:

Hi Halijen,

Just to clarify, this solution works however a very interesting question was raised.

If the public IP of the SSL VPN is the same as the IP the IPSec tunnel connects to, how does the ASA at the remote site know to route traffic destined for the WAN IP across the Internet and not the tunnel? and if so how can the tunnel be established on a public IP if traffic for the IP is being tunneled?



Jennifer Halim Wed, 05/26/2010 - 04:40
User Badges:
  • Cisco Employee,

Because the crypto ACL is between the ASA public ip address (WAN address) towards the remote LAN host/subnet. Since it's matching the crypto ACL, then it will be encrypted and goes through the VPN tunnel.

Hope that answers your question.


This Discussion