clientless vpn can't reach l2l lan?

Unanswered Question
Dec 5th, 2007
User Badges:

The clientless vpn setup I have created allows (for example java rdp client) access to the inside network. However I'm unable to figure out how to provide access to the networks that are connected to the same device via a l2l or site to site vpn. I tried messing with adding split-tunnelling entries to no avail. I have also added the same-security-traffic permit commands which did not help. A lot of the troubleshooting articles seem to pertain to client based vpn connections where the remote computer actually gets assigned an IP address. The way I look at it with the clientless webpages and rdp-connections are essentially being proxied from the firewall itself. So to sum up: clientless can reach inside servers but not vpn'd in servers?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Jason Gervia Mon, 12/10/2007 - 11:25
User Badges:
  • Cisco Employee,


I've never done this before, but it should be possible. You probably need to modify your crypto map to allow the ASAs interface IP address to access networks across the VPN tunnel, as that is where the traffic would be initiated from.

wbolsover Mon, 12/10/2007 - 11:44
User Badges:

Interesting, when I first started looking at this I decided to ask myself would the firewall's IP address be able to access the network in question. And at that time, I was using the Inside IP address and saying yes of course it does. But I, actually, have no idea what interface its trying to use. Could it have decided to use the outside ip address since the vpn is initiated on that interface? Does the firewall just plain not know what interface to use? These questions may be too hard to answer. But a seemingly easier problem that I realized I had after I posted was that I'm essentially having the same exact problem with the DMZ network created by this same firewall. The interface it imho should use is the one on the same network as the server in question. Even if it decided to use the inside interface it should in theory still have access to this network... I feel like the firewall is just not routing this webvpn traffic correctly at all and I don't know why. Oh and by the way the packet tracer from the ASDM 6.02 is useless in this situation because even in a situation that I know works. The packet tracer reports that the packet is dropped by implicit deny whenever you try to use the firewall's ip address.... Wow, sorry for the wordy response...


This Discussion