Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1883
Views
0
Helpful
2
Replies

ASA WebVPN + IPSEC Tunnel reachability issue

essen
Level 1
Level 1

‎05-25-2010 10:56 AM - edited ‎02-21-2020 04:40 PM

We have setup where an WebVPN Portal in an ASA5505 (version 8.3) contains a few web servers for test purposes. One of these web servers is placed behind a VPN-tunnel connected to this same ASA. (The tunnel terminates in another 5505). Anyway, WebVPN is fine in most cases but in this case it seems hard to get the traffic to go back into the other tunnel to reach the actual server. We have tried all kinds of NAT + ACL configs and even tried to NAT the server IP to an IP on the outside interface to get the traffic to return.  I understand the ASA is a proxy in this regard and will source all connections with its own IP. Question is which one? Has anyone understood how traffic is handled from the WebVPN engine so to speak? Grateful for all suggestions. This is a lab ASA so I cannot TAC for this issue. See attached schematic.

My closes bet is from the ASA Log where this traffic seem to be generating a spoof event. The actual problem server has an IP of 10.0.36.10 (but attached to a VPN Tunnel) and the internal Interface of the ASA is 10.0.254.1. This traffic should not be on this interface thats for sure...

2May 25 201019:36:15106016Deny IP spoof from (10.0.254.1) to 10.0.36.10 on interface inside

Labels:
Preview file
45 KB
0 Helpful
2 Replies 2

hdashnau
Cisco Employee
Cisco Employee

‎05-25-2010 11:18 AM

I can answer only part of this question for you...." I understand the ASA is a proxy in this regard and will source all  connections with its own IP. Question is which one?"

The ASA will do a route lookup on the destination (the server accross the L2L). Based on the route lookup it should select the interface. You can also use the "packet-tracer" command to get an idea of the flow through the ASA which is sometimes very helpful and may give you an idea where to look next.

-heather

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-26-2010 03:13 AM

If the webvpn web server resource that you are trying to reach is through the LAN-to-LAN VPN tunnel, then the connection will be sourced from the outside interface of the ASA where the crypto map is terminated towards the tunnel.

Your crypto ACL on this ASA should say: permit ip host host , and the mirror image ACL on the other side of the VPN tunnel (ie: permit ip host host )

You would also need to configure "same-security-traffic permit intra-interface" on the ASA.

Lastly, on the peer device, you would need to configure NAT exemption from the web server internal IP address towards the ASA outside ip address.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents