[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


cisco asa webvpn connect through asa-to-asa tunnel

Posted on 2011-03-20
Medium Priority
Last Modified: 2012-06-21
Users connecting to one ASA can ping hosts local to that ASA, but not hosts on the other side of an ASA-to-ASA tunnel.

webvpn pool:

webvpn pool:

The 2 asa's are connected via ipsec tunnel.  Webvpn users can ping hosts on the inside of the ASA to which they connect (i.e., if I webvpn to ASA1, I can ping ServerA, and if I connect to ASA2, I can ping Server2).

I can't ping ServerB on ASA2 from a webvpn connection to ASA1.

I have nat0 acl's for the webvpn pool destined for the inside subnet on the remote ASA, and also in the crypto map match address.  I also have the remote subnet included in the split-tunnel policy for webvpn connections.

When I make a webvpn connection to ASA, the crypto ipsec sa for the ASA-ASA tunnel ads a policy for the local webvpn user to the remote ASA (e.g., local:; remote:  howeverm there are no encrypts/encaps on the webvpn side, which leads me to believe the packets are not getting considered interesting when coming from webvpn users destined for the remote ASA subnet.

A packet-trace suggests the same thing, as it allows the packet, but says it's destined for the outside interface.

What am I missing?  Thanks.

Should this work?
Question by:snowdog_2112
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 18

Expert Comment

ID: 35177852
I think you're on the right track, but without seeing the full config it's hard to be sure.  I suspect the traffic from the WebVPN client is not being considered "interesting" and it's not going through the tunnel.

Author Comment

ID: 35180346
I had used different IP's in my example for simplicity.  here is the config - which I've also edited to replace usernames and actual public IP's.  One noticable difference (hopefully this isn't the deal-breaker), is that the ASA2 internal network is a /16 subnet.

My webvpn client gets a 10.223.1.x address, and I can reach hosts on ASA1.  ASA2 is connected via the tunnel, and hosts on either side can reach the other side.

As mentioned, my crypto ipsec sa's have route policies for the webvpn pool to the remote side (local:, remote:  I can trace from the webvpn client to the remote side, and it gets handled as split-tunnel traffic and does not use my internet gateway, so it's getting into the ASA.

hostname asa
domain-name mydomain.local
enable password * encrypted
passwd * encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name mydomain.local
dns server-group WhiteWaterDNS
 domain-name mydomain2.local
dns server-group mat-inside-dns
 domain-name mydomain2.local
access-list asa_tunnel extended permit ip
access-list asa_tunnel extended permit ip              
access-list asa_tunnel extended permit ip
access-list asa_tunnel extended permit ip 255.255.255.               0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any host eq smtp
access-list outside_access_in extended permit tcp any host eq https
access-list outside_access_in extended permit tcp any host eq www
access-list NONAT extended permit ip
access-list NONAT extended permit ip
access-list NONAT extended permit ip
access-list NONAT extended permit ip
access-list NONAT extended permit ip
access-list split-tunnel standard permit
access-list split-tunnel standard permit
access-list split-tunnel standard permit
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool
ip local pool vpnp2
icmp unreachable rate-limit 1 burst-size 1
icmp permit inside
icmp permit inside
icmp permit any inside
icmp permit outside
icmp permit outside
icmp permit host outside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp smtp smtp netmask
static (inside,outside) tcp https https netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 40 match address asa_tunnel
crypto map outside_map 40 set peer
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 86400
telnet inside
telnet timeout 60
ssh inside
ssh inside
ssh outside
ssh timeout 60
console timeout 0
dhcpd dns
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd option 3 ip
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 enable outside
 svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
 svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 5
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 6
 svc enable
group-policy wwwGrp internal
group-policy wwwGrp attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 split-dns value mydomain2.local
  url-list none
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
group-policy InternalITGrp internal
group-policy InternalITGrp attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 split-dns value mydomain2.local
  url-list none
  svc ask enable default webvpn
group-policy IntDomainWebGrp internal
group-policy IntDomainWebGrp attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  url-list none
  port-forward disable
  http-proxy disable
  svc ask enable default webvpn
  http-comp gzip
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  smart-tunnel auto-signon disable
group-policy mydomain2vpn internal
username wwwvpn password ** encrypted
username wwwvpn attributes
 vpn-group-policy wwwGrp
username InternalITUser password ** encrypted privilege 15
username InternalITUser attributes
 vpn-group-policy InternalITGrp

username itsupport password ** encrypted privilege 15
username itsupport attributes
 vpn-group-policy wwwGrp
 service-type admin
username external_user password ** encrypted
username external_user attributes
 vpn-group-policy wwwGrp
 service-type admin
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpnp2
 default-group-policy mydomain2vpn
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group LocalAuthSSL type remote-access
tunnel-group LocalAuthSSL general-attributes
 default-group-policy IntDomainWebGrp
tunnel-group InternalIT type remote-access
tunnel-group InternalIT general-attributes
 address-pool vpnp2
 default-group-policy InternalITGrp
tunnel-group InternalIT webvpn-attributes
 group-alias sslgroup_users enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Author Comment

ID: 35189548
update:  I put a packet capture on the inside interface of the local ASA (the one terminating the webvpn connection).  If I ping from the webvpn client to a local host, I see the packets.  If I try to ping a host on the other side of the ASA-ASA tunnel, the local packet cap does not register any packets.  

That suggests that it is a split tunnel issue, but my local route table on the webvpn client looks correct.  A continuous ping with the tunnel up and then dropped (while the ping is still running) shows a time out and then the client's gateway replies "destination unreachable" when the tunnel is dropped.

It seems like the webvpn client is sending the traffic into the tunnel, but the ASA does not see it.
LVL 18

Accepted Solution

jmeggers earned 2000 total points
ID: 35193833
Check your ACLs for your interesting traffic.  I see both 10.222.x.x and 10.233.x.x, but not consistently.  Also make sure the ASA at the other end is set to encrypt traffic to and from the correct networks.  That's the most typical mistake that causes things like this.

Author Closing Comment

ID: 35334798
Yes, it was a typo in the ACL.  Working now.  Thanks.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question