Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

clientless vpn can't reach l2l lan?

The clientless vpn setup I have created allows (for example java rdp client) access to the inside network. However I'm unable to figure out how to provide access to the networks that are connected to the same device via a l2l or site to site vpn. I tried messing with adding split-tunnelling entries to no avail. I have also added the same-security-traffic permit commands which did not help. A lot of the troubleshooting articles seem to pertain to client based vpn connections where the remote computer actually gets assigned an IP address. The way I look at it with the clientless webpages and rdp-connections are essentially being proxied from the firewall itself. So to sum up: clientless can reach inside servers but not vpn'd in servers?

Cisco Employee

Re: clientless vpn can't reach l2l lan?


I've never done this before, but it should be possible. You probably need to modify your crypto map to allow the ASAs interface IP address to access networks across the VPN tunnel, as that is where the traffic would be initiated from.

New Member

Re: clientless vpn can't reach l2l lan?

Interesting, when I first started looking at this I decided to ask myself would the firewall's IP address be able to access the network in question. And at that time, I was using the Inside IP address and saying yes of course it does. But I, actually, have no idea what interface its trying to use. Could it have decided to use the outside ip address since the vpn is initiated on that interface? Does the firewall just plain not know what interface to use? These questions may be too hard to answer. But a seemingly easier problem that I realized I had after I posted was that I'm essentially having the same exact problem with the DMZ network created by this same firewall. The interface it imho should use is the one on the same network as the server in question. Even if it decided to use the inside interface it should in theory still have access to this network... I feel like the firewall is just not routing this webvpn traffic correctly at all and I don't know why. Oh and by the way the packet tracer from the ASDM 6.02 is useless in this situation because even in a situation that I know works. The packet tracer reports that the packet is dropped by implicit deny whenever you try to use the firewall's ip address.... Wow, sorry for the wordy response...