https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445147#M268732 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are the VPN users connecting to the ASA or some other device?</P><P></P><P>Also why would the traffic be <STRONG>"inside"</STRONG> to <STRONG>"inside"</STRONG>? If the connections are coming to the ASA then it would usually be <STRONG>"outside"</STRONG> to <STRONG>"inside"</STRONG> since the VPN Clients would be located behind the <STRONG>"outside"</STRONG> interface from ASAs perspective.</P><P></P><P>If the situation was that the VPN was on another device than this ASA and both of the networks were behind the <STRONG>"inside" </STRONG>interface then the traffic should not even go through the ASA.</P><P></P><P>Maybe you could share the <STRONG>"packet-tracer"</STRONG> output from the CLI of the ASA so we could see what you mean.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 03 Mar 2014 13:54:09 GMT Jouni Forss 2014-03-03T13:54:09Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445146#M268730 <P>Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP.&nbsp; I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. <SPAN style="font-size: 10pt;">I am at a total lost as to why...</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">+++++++++++++++++++++++++++++++</SPAN></P><P></P><P>ASA 5520 with 8.4(1) code</P><P></P><P>VPN Addressing = 172.25.17.0/24</P><P>HTTP Server = 172.18.2.13 (port 8443) </P><P></P><P>Can ping by IP Address or by server name</P><P>Can access site internally after responding to the Certificate Warning</P><P></P><P>++++++++++++++++++++++++++++</P><P></P><P>Any help is greatly appreciated!</P><P></P><P>Dave</P> Tue, 12 Mar 2019 03:52:51 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445146#M268730 dmooregfb 2019-03-12T03:52:51Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445147#M268732 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are the VPN users connecting to the ASA or some other device?</P><P></P><P>Also why would the traffic be <STRONG>"inside"</STRONG> to <STRONG>"inside"</STRONG>? If the connections are coming to the ASA then it would usually be <STRONG>"outside"</STRONG> to <STRONG>"inside"</STRONG> since the VPN Clients would be located behind the <STRONG>"outside"</STRONG> interface from ASAs perspective.</P><P></P><P>If the situation was that the VPN was on another device than this ASA and both of the networks were behind the <STRONG>"inside" </STRONG>interface then the traffic should not even go through the ASA.</P><P></P><P>Maybe you could share the <STRONG>"packet-tracer"</STRONG> output from the CLI of the ASA so we could see what you mean.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 03 Mar 2014 13:54:09 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445147#M268732 Jouni Forss 2014-03-03T13:54:09Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445148#M268734 <HTML><HEAD></HEAD><BODY><P>Also,</P><P></P><P>Now that I look at it, You mention above that the port on the server is TCP/8443 but the port in the capture is TCP/443 ?</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 03 Mar 2014 13:56:52 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445148#M268734 Jouni Forss 2014-03-03T13:56:52Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445149#M268737 <HTML><HEAD></HEAD><BODY><P>Jouni, let me clear up a few here:</P><P></P><UL><LI><SPAN style="font-size: 10pt;">VPN users inbound on outside2 to inside interfaces (misquote)</SPAN></LI><LI><SPAN style="font-size: 10pt;">This is the URL when converted (after accepting the non-certificate message); so this is somewhat of confusion for the TCP/8443 and TCP/443</SPAN></LI><LI><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN style="font-size: 10pt;"><A class="jive-link-external-small" href="https://172.18.2.13:8443/appadmin/main">https://172.18.2.13:8443/appadmin/main</A></SPAN></LI><LI><SPAN style="font-size: 10pt;">adding a .png of the packet trace.</SPAN></LI></UL><P></P><P>Dave<IMG src="https://community.cisco.com/legacyfs/online/legacy/9/2/7/182729-Packet%20trace%20-%201.png" alt="Packet trace - 1.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P></BODY></HTML> Mon, 03 Mar 2014 14:08:04 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445149#M268737 dmooregfb 2014-03-03T14:08:04Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445150#M268747 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The UN-NAT is the most essential part of that output and its the only thing that is not showing <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>But I would have to guess that the destination IP address of the above packet matches a NAT configurations and this NAT configuration then overrides the actual interface to which the packet should be forwarded to.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 03 Mar 2014 14:12:39 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445150#M268747 Jouni Forss 2014-03-03T14:12:39Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445151#M268754 <HTML><HEAD></HEAD><BODY><P>Here is the expanded version </P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/0/3/7/182730-Packet%20trace%20-%202.png" alt="Packet trace - 2.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P></BODY></HTML> Mon, 03 Mar 2014 14:16:45 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445151#M268754 dmooregfb 2014-03-03T14:16:45Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445152#M268757 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the <STRONG>"HomeOffice"</STRONG> interface because <STRONG>"any any"</STRONG> is configured</P><P></P><P>You would either have to make the above rule more specific by removing the <STRONG>"any any"</STRONG> and adding the actual networks</P><P></P><P>OR </P><P></P><P>You could add a new rule BEFORE the above mentioned NAT configurations</P><P></P><P></P><P>I am not sure what the real local interface <STRONG>"nameif"</STRONG> is (the one where the server IP is actually located) but you would need this kind of configurations</P><P></P><P><STRONG>object network SERVER</STRONG></P><P><STRONG> host 172.18.2.13</STRONG></P><P></P><P><STRONG>object network VPN-POOL</STRONG></P><P><STRONG> subnet 172.25.17.0 255.255.255.0</STRONG></P><P></P><P><STRONG>nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL</STRONG></P><P></P><P>The above rule should match the traffic from the VPN-POOL to the SERVER. The number <STRONG>"1"</STRONG> seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the <STRONG>"HomeOffice"</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 04 Mar 2014 12:32:39 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445152#M268757 Jouni Forss 2014-03-04T12:32:39Z https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445153#M268760 <P><SPAN class="fullname"><SPAN rel="sioc:has_creator"><A about="/users/jouniforss" class="username" datatype="" href="https://community.cisco.com/users/jouniforss" property="foaf:name" title="View user profile." typeof="sioc:UserAccount" lang=""><U><FONT color="#0066cc">Jouni Forss</FONT></U></A></SPAN></SPAN>&nbsp;, this worked out correctly. I removed all NAT parms and reconfigured. It appeared as there was a twice NAT going on.</P><P>&nbsp;</P><P>Thanks for your time,</P><P>Dave</P> Tue, 11 Mar 2014 16:24:34 GMT https://community.cisco.com/t5/network-security/unable-to-access-internal-https-through-vpn-conn/m-p/2445153#M268760 dmooregfb 2014-03-11T16:24:34Z