Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
10
Replies

WebVPN traffic accross an IPSEC tunnel

depadua_chris
Level 1
Level 1

‎08-31-2007 04:01 AM - edited ‎02-21-2020 03:14 PM

I am managing two remote locations. One uses an ASA5505 and the other uses an 831 Router. The two sites are connected via an IPSEC VPN Tunnel. In addition I've configured the WebVPN on the ASA device so that I can use the application access and port forwarding to telnet to a device on the inside of the ASA network.

By typing "telnet 127.0.0.1 3044" into a command prompt I am able to telnet into a device on the inside of the ASA network while I'm connected via WebVPN. Now I'd like to do the same telnet to another device on the 831 router's network. I've added the additional port forwarding commands so that port 3045 is forwarded as port 23; same as I did for port 3044 to access the first device. The only difference is that now I'm trying to forward to a remote location over the IPSEC VPN. I added the WebVPN's ip pool as interesting traffic on both sides of the IPSEC tunnel and denied NAT for that ip range also. But I'm having trouble.

I'd appreciate any suggestions on how to get this to work. -- My suspicion is that the WebVPN Client is not getting an IP Address assigned from the configured pool of addresses the way a standard VPN Client or SSL Client would, but I still don't know how to get that WebVPN traffic to cross the tunnel.

Thank you,

Chris

Labels:
0 Helpful
10 Replies 10

pradeepde
Level 5
Level 5

‎09-06-2007 06:40 AM

You should check if the routing between the vpn's is working fine or not. If you are connecting to ASA using WebVPN and your telnet access to device on the routers network is forwarded over the IPsec VPN which is between the ASA and the router, check if you are able to pass any other kind of traffic to the routers network. If both the Webvpn and IPsec are using the same interface on ASA you should configre the command "same-security-traffic permit intra-interface" on the ASA.

0 Helpful

depadua_chris
Level 1
Level 1
In response to pradeepde

‎09-06-2007 06:44 AM

Other traffic does pass through the IPsec tunnel from one network to another, so the routes are working. Also, I've configured both "same-security-traffic permit intra-interface" and "same-security-traffic permit inter-interface".

Thanks for the suggestions!

0 Helpful

Gerard Roy
Level 2
Level 2
In response to depadua_chris

‎10-17-2007 11:01 AM

Did you ever get an answer to this that worked? I have the same situation. I need to get to the LAN of a spoke that has a tunnel to an ASA. I can pass traffic between the asa and the spoke LAN's but when I ire off anyconnect and connect to asa. I only get a route in my asa client to the lan of the asa. It nevers knows to route traffic to the lan of the spoke.

0 Helpful

depadua_chris
Level 1
Level 1
In response to Gerard Roy

‎10-17-2007 11:17 AM

Sorry, I never got a reply that worked for me. I ended up having to use the VPN Client instead of the WebVPN.

You might try to use the SSLVPN; I didn't try that.

0 Helpful

Arif .
Level 1
Level 1
In response to depadua_chris

‎04-27-2010 04:28 AM

Hi,


Has anyone had any joy with this issue?

I am having th esame problem, can access resources on the LAN of the ASA fine, however cannot access resources on the LAN of an IPSec connected site via the ASA. IS almost like a routing problem however i am using Web VPN so no IP Routing should be involved as no IP assignment takes place.

Any input would be appreciated.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arif .

‎04-27-2010 04:44 AM

With webvpn across site-to-site vpn tunnel, you would need to make sure that the crypto ACL include the ASA outside ip address towards the remote LAN where the resources is.

Webvpn port redirection will be sourced from the ASA interface where the remote LAN is connected to, and since it's site-to-site, the webvpn port redirection will be sourced from the ASA outside interface.

Hope that helps.

0 Helpful

Arif .
Level 1
Level 1
In response to Jennifer Halim

‎04-27-2010 05:35 AM

Hi Halijenn,

I tested this on one of my tunnels and it worked a charm!

I will now test on the live tunnel and let you know how it goes.

Thanks,


Arif.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arif .

‎04-27-2010 05:37 AM

Perfect..

0 Helpful

Arif .
Level 1
Level 1
In response to Jennifer Halim

‎05-24-2010 02:16 PM

Hi Halijen,

Just to clarify, this solution works however a very interesting question was raised.

If the public IP of the SSL VPN is the same as the IP the IPSec tunnel connects to, how does the ASA at the remote site know to route traffic destined for the WAN IP across the Internet and not the tunnel? and if so how can the tunnel be established on a public IP if traffic for the IP is being tunneled?

Thanks,


Arif.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Arif .

‎05-26-2010 04:40 AM

Because the crypto ACL is between the ASA public ip address (WAN address) towards the remote LAN host/subnet. Since it's matching the crypto ACL, then it will be encrypted and goes through the VPN tunnel.

Hope that answers your question.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents