Link to home
Start Free TrialLog in
Avatar of maho01
maho01

asked on

ASA 5505 issues, routing I guess..

I have these really annoying issues with an ASA5505..
When I connect using the cisco VP client I can access internal network and Lan2Lan networks but not the internet.
When I connect to WebVPN I can not access any sites.
I found that the problems must be routing related and that theory is somewhat proved if I add a default tunneling route WebVPN access will work but the route will break the VPN clients Lan2Lan network access. Sure this could be solved by using another box as a router but wy would I buy a firewall/gateway/vpn thing if it can't route..
So is there a magic setting somewhere in ASDM that says don't route packets going to either local och lan2lan networks (I do have exempt rules for these networks).
If I try to ping one of the lan2lan networks from the ASDM ping util it will fail and a route error is logged, can not find next hop, but the host on the LAN have no problem accessing the remote network so it does work the ASA box just don't know how to reach it..
Except the route error the debug logs shows nothing except build and teardown connections
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maho01
maho01

ASKER

The internet access for connecting VPN clients had a quite embarrassing solution, it works better if you enable NAT for the IP range used by connecting clients..

Just resetted the configuration so I have not tried webvpn yet, however I don't really understand how to set the routes, my ASA is the only local router and the webvpn targets are located at another site. The ASA does not have any routes to these sites since it by some magic knows that traffic to hosts in other sites should be tunneled, however noone seems to tell webvpn to tunnel that traffic. So how do I make wpnvpn understand that it should send traffic through the tunnels?
Avatar of maho01

ASKER

Just to let anyone that might care know, there is an enhancment request for this called,  CSCsc51918, with the title "Allow Clientless WebVPN to U-turn for service access through a L2L".

So WebVPN currently does not allow connections to web sites hosted on another site connected through lan2lan.
Avatar of maho01

ASKER

And what I forgot in my last post, to make webvpn access web site in remote location, add a router on the lan where the webvpn lives and just set routes to that router which has the ASA as default route and WebVPN should be able to access the website.