• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

VPN User Cannot access across L2L tunnel

Hello Experts!
I have a Cisco ASA5520 utilizing WebVPN for remote access.  We have established a Lan-to-Lan tunnel to a co-location. All works well from within the building, users are able to access both the local LANs and the tunnel to the co-lo. Only problem is, the vpn user cannot access across the L2L tunnel to the co-lo. The segments do not overlap, webvpn pool is 10.100.0.00/24 The L2L tunnel IP segment is 192.168.100.0/24.    I can ping the tunnel from the ASA ping inside command, or do an extended ping it will work, but not from the vpn workstation.  What am I missing?

Thanks
CM
0
ChasMarshall
Asked:
ChasMarshall
  • 3
  • 3
1 Solution
 
bignewfCommented:
Please send you config and we will solve this for you.

A couple of things to look at:

you need a nat0 statement  permitting ip to the lan network you cannot reach i.e

access-list nonat extended permit ip 192.168.1100.0 255.255.255.0 10.100.0.0 255.255.255.0

or access-list nonat extended permit ip any 255.255.255.0 10.100.0.0 255.255.255.0

also need:
corresponding nat (inside) o access-list nonat    which corresponds to above above access list

check for this also:

access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0  10.100.0.0 255.255.255.0

the above statement will have a cryptomap id which corresponds to your other cryptomap statements

without your config, this is all guesswork at this point
0
 
ChasMarshallAuthor Commented:
Here is the config.

Thanks for looking at it.
ASA5520.txt
0
 
bignewfCommented:
Forget the above statements, as you are using webvpn to access internal network resources, not the cisco vpn client as I read it too quickly

For webvpn users to access internal network resources, it is done via port forwarding, so I will give you some sample commands and a pdf from cisco with a more involved config
Depending on what ports/services you want to forward, you will need to apply these to your webvpn group policy:

i.e


webvpn(config)# group-policy WebVpnUsers internal
webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) #functions file-access file-entry file-browsing

the above  enables a vpn user to browse, access, and write files to network shares

To port forward:

webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) # functions port- forward
now you will need a list to assign to port forwarding to:

i.e  for an rdp server
webvpn(config)#port-forward  rdp_inside 1100 192.168.100.5  3389
this creates a list called rdp_inside to forward info about an rdp server at ip 192.168.100.5

cisco recommends using ports between 1024 and 65535 to avoid any conflicts with services that may be running on your network

you then map your port list to a user group or user policy:

webvpn(config)# group-policy WebVpnUsers attributes
webvpn(config-group-policy) # vpn-tunnel-protocol webvpn
webvpn(config-group-policy) # webvpn
webvpn(config-group-webvpn) #  port- forward value  rdp_inside


When a user logs in to the webvpn,  they will see a default link Start application Access This launches the port forwarding applet which is a JAVA applet on the client machine. It shows the IP address and port number that can be used for this webvpn session

These are just samples to use, you will need to configure URL mangling if you want users to browse intranet sites on the internal LAN

I am uploading a sample pdf from cisco using both the CLI and ASDM gui (much easier for webvpn) to get you going with your configuration  This covers most of what you will need, if you have trouble after this, let me know










webvpnasa.pdf
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ChasMarshallAuthor Commented:
I was wanting the webvpn users to be able to access all segments i.e. 10.1.1.0/24, 10.100.0.0/24, 192.168.1.0/24 and 192.168.100.0/24 (the rackspace tunnel)  The mail server will be 192.168.100.197 for example.

They can reach everyting inside, but they can't traverse the tunnel (192.168.100.0). to certain servers they will be putting on the .100 network.  I hope I am not confusing you. Is there a global statement to cover the entire subnet?


Thanks for your help.
0
 
bignewfCommented:
have you tried this:
access-list inside_nat0_outbound extended permit ip any 10.100.0.0 255.255.255.255

access-list 100 permit ip any 10.100.0.0 255.255.255.0

each asa will need an extended ip access-list to allow this network across the tunnel

generally, cisco usually does not use "any" but will substitue the source network id in its place

My question - are you stating now that without port-forwarding the webvpn users can access services inside one tunnel? I see some commands for launching teh   port-forwarding java applet, but I don't see all of them as I indicated in my last post, unless the whole config did not upload
0
 
ChasMarshallAuthor Commented:
Thanks for hanging in there bignewf. Great job!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now