VPN User Cannot access across L2L tunnel

Posted on 2009-02-19
Medium Priority
Last Modified: 2012-05-06
Hello Experts!
I have a Cisco ASA5520 utilizing WebVPN for remote access.  We have established a Lan-to-Lan tunnel to a co-location. All works well from within the building, users are able to access both the local LANs and the tunnel to the co-lo. Only problem is, the vpn user cannot access across the L2L tunnel to the co-lo. The segments do not overlap, webvpn pool is The L2L tunnel IP segment is    I can ping the tunnel from the ASA ping inside command, or do an extended ping it will work, but not from the vpn workstation.  What am I missing?

Question by:ChasMarshall
  • 3
  • 3
LVL 15

Expert Comment

ID: 23687118
Please send you config and we will solve this for you.

A couple of things to look at:

you need a nat0 statement  permitting ip to the lan network you cannot reach i.e

access-list nonat extended permit ip 192.168.1100.0

or access-list nonat extended permit ip any

also need:
corresponding nat (inside) o access-list nonat    which corresponds to above above access list

check for this also:

access-list outside_cryptomap extended permit ip

the above statement will have a cryptomap id which corresponds to your other cryptomap statements

without your config, this is all guesswork at this point

Author Comment

ID: 23687220
Here is the config.

Thanks for looking at it.
LVL 15

Expert Comment

ID: 23687605
Forget the above statements, as you are using webvpn to access internal network resources, not the cisco vpn client as I read it too quickly

For webvpn users to access internal network resources, it is done via port forwarding, so I will give you some sample commands and a pdf from cisco with a more involved config
Depending on what ports/services you want to forward, you will need to apply these to your webvpn group policy:


webvpn(config)# group-policy WebVpnUsers internal
webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) #functions file-access file-entry file-browsing

the above  enables a vpn user to browse, access, and write files to network shares

To port forward:

webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) # functions port- forward
now you will need a list to assign to port forwarding to:

i.e  for an rdp server
webvpn(config)#port-forward  rdp_inside 1100  3389
this creates a list called rdp_inside to forward info about an rdp server at ip

cisco recommends using ports between 1024 and 65535 to avoid any conflicts with services that may be running on your network

you then map your port list to a user group or user policy:

webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) #  port- forward value  rdp_inside

When a user logs in to the webvpn,  they will see a default link Start application Access This launches the port forwarding applet which is a JAVA applet on the client machine. It shows the IP address and port number that can be used for this webvpn session

These are just samples to use, you will need to configure URL mangling if you want users to browse intranet sites on the internal LAN

I am uploading a sample pdf from cisco using both the CLI and ASDM gui (much easier for webvpn) to get you going with your configuration  This covers most of what you will need, if you have trouble after this, let me know

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 23687703
I was wanting the webvpn users to be able to access all segments i.e.,, and (the rackspace tunnel)  The mail server will be for example.

They can reach everyting inside, but they can't traverse the tunnel ( to certain servers they will be putting on the .100 network.  I hope I am not confusing you. Is there a global statement to cover the entire subnet?

Thanks for your help.
LVL 15

Accepted Solution

bignewf earned 2000 total points
ID: 23687855
have you tried this:
access-list inside_nat0_outbound extended permit ip any

access-list 100 permit ip any

each asa will need an extended ip access-list to allow this network across the tunnel

generally, cisco usually does not use "any" but will substitue the source network id in its place

My question - are you stating now that without port-forwarding the webvpn users can access services inside one tunnel? I see some commands for launching teh   port-forwarding java applet, but I don't see all of them as I indicated in my last post, unless the whole config did not upload

Author Closing Comment

ID: 31549008
Thanks for hanging in there bignewf. Great job!

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 9 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question