Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA WebVPN + IPSEC Tunnel reachability issue

We have setup where an WebVPN Portal in an ASA5505 (version 8.3) contains a few web servers for test purposes. One of these web servers is placed behind a VPN-tunnel connected to this same ASA. (The tunnel terminates in another 5505). Anyway, WebVPN is fine in most cases but in this case it seems hard to get the traffic to go back into the other tunnel to reach the actual server. We have tried all kinds of NAT + ACL configs and even tried to NAT the server IP to an IP on the outside interface to get the traffic to return.  I understand the ASA is a proxy in this regard and will source all connections with its own IP. Question is which one? Has anyone understood how traffic is handled from the WebVPN engine so to speak? Grateful for all suggestions. This is a lab ASA so I cannot TAC for this issue. See attached schematic.

My closes bet is from the ASA Log where this traffic seem to be generating a spoof event. The actual problem server has an IP of 10.0.36.10 (but attached to a VPN Tunnel) and the internal Interface of the ASA is 10.0.254.1. This traffic should not be on this interface thats for sure...

2May 25 201019:36:15106016Deny IP spoof from (10.0.254.1) to 10.0.36.10 on interface inside

Everyone's tags (6)
2 REPLIES
Cisco Employee

Re: ASA WebVPN + IPSEC Tunnel reachability issue

I can answer only part of this question for you...." I understand the ASA is a proxy in this regard and will source all  connections with its own IP. Question is which one?"

The ASA will do a route lookup on the destination (the server accross the L2L). Based on the route lookup it should select the interface. You can also use the "packet-tracer" command to get an idea of the flow through the ASA which is sometimes very helpful and may give you an idea where to look next.

-heather

Cisco Employee

Re: ASA WebVPN + IPSEC Tunnel reachability issue

If the webvpn web server resource that you are trying to reach is through the LAN-to-LAN VPN tunnel, then the connection will be sourced from the outside interface of the ASA where the crypto map is terminated towards the tunnel.

Your crypto ACL on this ASA should say: permit ip host host , and the mirror image ACL on the other side of the VPN tunnel (ie: permit ip host host )

You would also need to configure "same-security-traffic permit intra-interface" on the ASA.

Lastly, on the peer device, you would need to configure NAT exemption from the web server internal IP address towards the ASA outside ip address.

Hope that helps.

1284
Views
0
Helpful
2
Replies
CreatePlease login to create content