cisco asa webvpn connect through asa-to-asa tunnel
Posted on 2011-03-20
Users connecting to one ASA can ping hosts local to that ASA, but not hosts on the other side of an ASA-to-ASA tunnel.
webvpn pool: 10.100.1.1/24
webvpn pool: 10.200.1.1/24
The 2 asa's are connected via ipsec tunnel. Webvpn users can ping hosts on the inside of the ASA to which they connect (i.e., if I webvpn to ASA1, I can ping ServerA, and if I connect to ASA2, I can ping Server2).
I can't ping ServerB on ASA2 from a webvpn connection to ASA1.
I have nat0 acl's for the webvpn pool destined for the inside subnet on the remote ASA, and also in the crypto map match address. I also have the remote subnet included in the split-tunnel policy for webvpn connections.
When I make a webvpn connection to ASA, the crypto ipsec sa for the ASA-ASA tunnel ads a policy for the local webvpn user to the remote ASA (e.g., local: 10.100.1.0/24; remote: 10.10.2.0/24). howeverm there are no encrypts/encaps on the webvpn side, which leads me to believe the packets are not getting considered interesting when coming from webvpn users destined for the remote ASA subnet.
A packet-trace suggests the same thing, as it allows the packet, but says it's destined for the outside interface.
What am I missing? Thanks.
Should this work?