We have setup where an WebVPN Portal in an ASA5505 (version 8.3) contains a few web servers for test purposes. One of these web servers is placed behind a VPN-tunnel connected to this same ASA. (The tunnel terminates in another 5505). Anyway, WebVPN is fine in most cases but in this case it seems hard to get the traffic to go back into the other tunnel to reach the actual server. We have tried all kinds of NAT + ACL configs and even tried to NAT the server IP to an IP on the outside interface to get the traffic to return. I understand the ASA is a proxy in this regard and will source all connections with its own IP. Question is which one? Has anyone understood how traffic is handled from the WebVPN engine so to speak? Grateful for all suggestions. This is a lab ASA so I cannot TAC for this issue. See attached schematic.
My closes bet is from the ASA Log where this traffic seem to be generating a spoof event. The actual problem server has an IP of 10.0.36.10 (but attached to a VPN Tunnel) and the internal Interface of the ASA is 10.0.254.1. This traffic should not be on this interface thats for sure...
May 25 2010
Deny IP spoof from (10.0.254.1) to 10.0.36.10 on interface inside
I can answer only part of this question for you...." I understand the ASA is a proxy in this regard and will source all connections with its own IP. Question is which one?"
The ASA will do a route lookup on the destination (the server accross the L2L). Based on the route lookup it should select the interface. You can also use the "packet-tracer" command to get an idea of the flow through the ASA which is sometimes very helpful and may give you an idea where to look next.
If the webvpn web server resource that you are trying to reach is through the LAN-to-LAN VPN tunnel, then the connection will be sourced from the outside interface of the ASA where the crypto map is terminated towards the tunnel.
Your crypto ACL on this ASA should say: permit ip host host , and the mirror image ACL on the other side of the VPN tunnel (ie: permit ip host host )
You would also need to configure "same-security-traffic permit intra-interface" on the ASA.
Lastly, on the peer device, you would need to configure NAT exemption from the web server internal IP address towards the ASA outside ip address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :