Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
952
Views
0
Helpful
3
Replies

Simple HTTPS Access (Intranet) not so simple

ixholla69
Level 1
Level 1

‎07-11-2018 05:17 PM - edited ‎02-21-2020 07:58 AM

A company that we've been talking to via HTTPS over our Internet connection wants us to
run this HTTPS connection via our Internal Network which we connect to on our core Network
just fine but can't access via our remote vpn sites.

 

The Remote VPN sites are all connected to a 5510 that can reach xx.xx.xx.151 just fine.

 

The VPN connection on the remote ends are odd, they have a working IPSEC Tunnel but they actually connect to the xx.xx.xx.151 website via Cisco AnyConnect VPN clients. When they log into the AnyConnect they're given a Pool IP 172.25.205.5-172.25.205.250

 

Note: We can reach other internal servers but not the xx.xx.xx.151

 

I've ran a packet capture but I don't think I'm doing it right.

Packet-tracer input inside tcp 172.25.205.1 1025 xx.xx.xx.151 443 DETAIL
    Drop-reason: (acl-drop) Flow is denied by configured rule

show run access-group
    access-group out_in in interface outside

show config | inc out_in
    access-list out_in extended permit ip any any

 

Any help on this would be greatly appreciated like I said various people have been trying to get it to work for 9 months.

 

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎07-11-2018 05:35 PM

xx.xx.xx.151 - iam guessing this is public internet routeble IP, is this correct ?

 

Do you have NAT rule for your internal IP ? (172.25.205.5-172.25.205.250).

 

RFC 1918 - can not go directly to internet, you need to do NAT in the WAN end router/or device.

 

if you can show the network topo, we can suggest much better.

 

BB

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ixholla69
Level 1
Level 1
In response to balaji.bandi

‎07-11-2018 06:46 PM

Here's a quick map.

ASAVPN.jpg
Preview file
50 KB
0 Helpful

ixholla69
Level 1
Level 1
In response to ixholla69

‎07-11-2018 08:57 PM

Can I apply the same ANY ANY ACL to this to the INSIDE Interface?

 

show run access-group
    access-group out_in in interface outside    <------Current

    access-group out_in in interface INSIDE    <-----Add to INSIDE interface?

 

Is that possible? I don't usually do Access-Groups so not sure if it's possible, would that allow the ANY ANY traffic to hit the INSIDE as well?

 

 

0 Helpful
Review Cisco Networking for a $25 gift card
Top