Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
3
Replies

Simple HTTPS Access (Intranet) not so simple

ixholla69
Level 1
Level 1

‎07-11-2018 05:17 PM - edited ‎02-21-2020 07:58 AM

A company that we've been talking to via HTTPS over our Internet connection wants us to
run this HTTPS connection via our Internal Network which we connect to on our core Network
just fine but can't access via our remote vpn sites.

 

The Remote VPN sites are all connected to a 5510 that can reach xx.xx.xx.151 just fine.

 

The VPN connection on the remote ends are odd, they have a working IPSEC Tunnel but they actually connect to the xx.xx.xx.151 website via Cisco AnyConnect VPN clients. When they log into the AnyConnect they're given a Pool IP 172.25.205.5-172.25.205.250

 

Note: We can reach other internal servers but not the xx.xx.xx.151

 

I've ran a packet capture but I don't think I'm doing it right.

Packet-tracer input inside tcp 172.25.205.1 1025 xx.xx.xx.151 443 DETAIL
    Drop-reason: (acl-drop) Flow is denied by configured rule

show run access-group
    access-group out_in in interface outside

show config | inc out_in
    access-list out_in extended permit ip any any

 

Any help on this would be greatly appreciated like I said various people have been trying to get it to work for 9 months.

 

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎07-11-2018 05:35 PM

xx.xx.xx.151 - iam guessing this is public internet routeble IP, is this correct ?

 

Do you have NAT rule for your internal IP ? (172.25.205.5-172.25.205.250).

 

RFC 1918 - can not go directly to internet, you need to do NAT in the WAN end router/or device.

 

if you can show the network topo, we can suggest much better.

 

BB

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ixholla69
Level 1
Level 1
In response to balaji.bandi

‎07-11-2018 06:46 PM

Here's a quick map.

Preview file
50 KB
0 Helpful

ixholla69
Level 1
Level 1
In response to ixholla69

‎07-11-2018 08:57 PM

Can I apply the same ANY ANY ACL to this to the INSIDE Interface?

 

show run access-group
    access-group out_in in interface outside    <------Current

    access-group out_in in interface INSIDE    <-----Add to INSIDE interface?

 

Is that possible? I don't usually do Access-Groups so not sure if it's possible, would that allow the ANY ANY traffic to hit the INSIDE as well?

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card