Clientless SSL VPN going over site-to-site tunnel

Unanswered Question
Aug 22nd, 2008
User Badges:

Hi all,

Is it possible to connect to a clientless SSL VPN and access a website that's located over a site-to-site VPN connection on the same device? I have the site-to-site working fine but when I try to access with the clientless SSL VPN, it doesn't route over the site-to-site tunnel. What am I missing?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 08/22/2008 - 11:27
User Badges:
  • Green, 3000 points or more

I assume you are trying to ssl vpn to the outside interface address of the ASA? And you want this traffic to go over the tunnel?

You need to add the interface ip to the interesting traffic on the ASA's and also the nat0 acl on the remote end ASA.

For instance, if the outside address of the ssl server ASA is and local ssl vpn client address is in

Local ASA-

access-list crypto extended permit ip host

access-list nat0 extended permit host

Remote ASA-

access-list crypto extended permit ip host

That should allow you to hit over the vpn tunnel. Hope that helps.

vpoon87 Fri, 08/22/2008 - 12:38
User Badges:

Thanks for the prompt reply.

If the remote site-to-site tunnel connection profile is using the public interface that I'm using to SSL in, will the access list added to the remote ASA cause any problems?

Also, assume I'll also need (assuming remote network is

access-list nat0 extended permit host

Thanks again


acomiskey Fri, 08/22/2008 - 13:58
User Badges:
  • Green, 3000 points or more

Should not cause issues. All you are doing is adding traffic that you want to be encrypted across the tunnel. You will add the access list statements to the one's which already exist for the tunnel. If the remote network is, just replace with that in the post above. Post up the configs before if you feel more comfortable.


This Discussion