ASA WebVPN + IPSEC Tunnel reachability issue

Unanswered Question
May 25th, 2010

We have setup where an WebVPN Portal in an ASA5505 (version 8.3) contains a few web servers for test purposes. One of these web servers is placed behind a VPN-tunnel connected to this same ASA. (The tunnel terminates in another 5505). Anyway, WebVPN is fine in most cases but in this case it seems hard to get the traffic to go back into the other tunnel to reach the actual server. We have tried all kinds of NAT + ACL configs and even tried to NAT the server IP to an IP on the outside interface to get the traffic to return.  I understand the ASA is a proxy in this regard and will source all connections with its own IP. Question is which one? Has anyone understood how traffic is handled from the WebVPN engine so to speak? Grateful for all suggestions. This is a lab ASA so I cannot TAC for this issue. See attached schematic.

My closes bet is from the ASA Log where this traffic seem to be generating a spoof event. The actual problem server has an IP of 10.0.36.10 (but attached to a VPN Tunnel) and the internal Interface of the ASA is 10.0.254.1. This traffic should not be on this interface thats for sure...



2May 25 201019:36:15106016Deny IP spoof from (10.0.254.1) to 10.0.36.10 on interface inside
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hdashnau Tue, 05/25/2010 - 11:18

I can answer only part of this question for you...." I understand the ASA is a proxy in this regard and will source all  connections with its own IP. Question is which one?"

The ASA will do a route lookup on the destination (the server accross the L2L). Based on the route lookup it should select the interface. You can also use the "packet-tracer" command to get an idea of the flow through the ASA which is sometimes very helpful and may give you an idea where to look next.


-heather

Jennifer Halim Wed, 05/26/2010 - 03:13

If the webvpn web server resource that you are trying to reach is through the LAN-to-LAN VPN tunnel, then the connection will be sourced from the outside interface of the ASA where the crypto map is terminated towards the tunnel.


Your crypto ACL on this ASA should say: permit ip host host , and the mirror image ACL on the other side of the VPN tunnel (ie: permit ip host host )


You would also need to configure "same-security-traffic permit intra-interface" on the ASA.


Lastly, on the peer device, you would need to configure NAT exemption from the web server internal IP address towards the ASA outside ip address.


Hope that helps.

Actions

This Discussion

Related Content