The clientless vpn setup I have created allows (for example java rdp client) access to the inside network. However I'm unable to figure out how to provide access to the networks that are connected to the same device via a l2l or site to site vpn. I tried messing with adding split-tunnelling entries to no avail. I have also added the same-security-traffic permit commands which did not help. A lot of the troubleshooting articles seem to pertain to client based vpn connections where the remote computer actually gets assigned an IP address. The way I look at it with the clientless webpages and rdp-connections are essentially being proxied from the firewall itself. So to sum up: clientless can reach inside servers but not vpn'd in servers?
I've never done this before, but it should be possible. You probably need to modify your crypto map to allow the ASAs interface IP address to access networks across the VPN tunnel, as that is where the traffic would be initiated from.
Interesting, when I first started looking at this I decided to ask myself would the firewall's IP address be able to access the network in question. And at that time, I was using the Inside IP address and saying yes of course it does. But I, actually, have no idea what interface its trying to use. Could it have decided to use the outside ip address since the vpn is initiated on that interface? Does the firewall just plain not know what interface to use? These questions may be too hard to answer. But a seemingly easier problem that I realized I had after I posted was that I'm essentially having the same exact problem with the DMZ network created by this same firewall. The interface it imho should use is the one on the same network as the server in question. Even if it decided to use the inside interface it should in theory still have access to this network... I feel like the firewall is just not routing this webvpn traffic correctly at all and I don't know why. Oh and by the way the packet tracer from the ASDM 6.02 is useless in this situation because even in a situation that I know works. The packet tracer reports that the packet is dropped by implicit deny whenever you try to use the firewall's ip address.... Wow, sorry for the wordy response...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...