Hi, I'm trying to get my clients from another site access to the secure web server in my interior network. Below are the object groups and access lists i have configured on the ASA where the web server is attached to.

!

!

object network asa_inside_address

subnet 10.30.0.1 255.255.255.255

object network inside_network

subnet 10.30.0.0 255.255.255.0

!

!

access-list website_outside extended permit tcp any object asa_inside_address eq 443

access-list website_outside extended permit icmp any object asa_inside_address

access-list website_outside extended permit icmp any object inside_network

!

!

access-group website_outside in interface outside

!

!

!

When i apply the access list i cant ping from the outside network and i cant even ping from the router on the outside network to the ASA outside address of 172.16.30.2 but when i remove the access group it allows me to ping again from the router and from the outside PC but doesn't let me ping the inside interfaces which is what i was trying to do in the first place.

Can anyone help me on this and why it wont even let me ping the OUTSIDE interface on the ASA when the access group is on? And how can I poke a hole in the firewall to make the connection to the secure web server which has an address of 10.30.0.10?

Also, one more thing, when i try to create an access list on the other ASA where the PC's are pinging on. I try and create this but it comes back with a strange error

!

ASA1(config)#access-list allow_webserver extended permit tcp 10.30.0.0 0.0.0.255 eq 443 10.20.0.0 0.0.0.255
ERROR: IP address,mask <10.30.0.0,0.0.0.255> doesn't pair

!

I'm trying to match the traffic flow on the ASA because in packet tracer it doesnt let you inspect HTTPS on the global service policy i have created here on both:

class-map inspect

match default-inspection-traffic

!

policy-map global

class inspect

inspect icmp

!

service-policy global global