Hi Jennifer,

i have written access-list like below

object network SSL-Host

host 172.16.1.16

access-list acl_in permit ip host SSL-Host any

object network SSL-Host-Pub

host 182.x.x.x

access-list acl_out permit any host SSL-Host-Pub

Any suggestions?

The acl should be:

access-list acl_out permit any host SSL-Host

Hi,

can you explain me, how can we put the private ip permit in acl_out.

There is changes on access-list from version 8.3 onwards where you should use the real IP in the access-list instead of the NATed IP.

here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665

(check out row: "Use of Real IP addresses in access lists instead of translated addresses" under Firewall Features section.

Hi Jennifer,

So the configuration should be like this

object network SSL-Host

host 172.16.1.16

access-list acl_in permit ip host SSL-Host any

object network SSL-Host-Pub

host 182.x.x.x

access-list acl_out permit any host SSL-Host

object network SSL-Host

nat (Inside,Outside) static 182.x.x.x

correct me if I am wrong...

Yes, that is correct.

Hi Jennifer,

I've been beating my head against this problem and doesn't seem the obvious reason why it doesn't work.

3945 router running c3900-universalk9-mz.SPA.151-3.T.bin

is configured  for SSL VPN. In  the status line of AnyConnect Client I see "Unable to process response  from x.x.x.x"

aaa new-model

aaa authentication login sslvpn local

aaa session-id common

!

username xxxxx privilege 15 secret xxxxxxx

!

!

!

interface Loopback50

description SSL DHCP Pool Gateway Address

ip address 192.168.50.1 255.255.255.0

!

interface Loopback10

description SSL VPN Website IP address

ip address x.x.x.164 255.255.255.255

!

ip local pool new 192.168.50.2 192.168.50.100

!

ip http server

ip http authentication local

ip http secure-server

!

ip access-list extended VTY_ACL

permit ip 192.168.10.0 0.0.0.255 any

deny ip any any log

!

line vty 0 4

access-class VTY_ACL in

logging synchronous

transport input telnet ssh

transport output all

!

webvpn gateway MyGateway

ip address x.x.x.164 port 443

http-redirect port 80

ssl trustpoint

inservice

!

webvpn install svc flash0:/anyconnect-win-2.4.1012-k9.pkg

!

webvpn context SecureMeContext

title "My SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

ssl authenticate verify all

!

login-message "Welcome to VPN"

!

policy group MyDefaultPolicy

functions svc-enabled

svc address-pool "sslvpnpool"

svc keep-client-installed

default-group-policy MyDefaultPolicy

aaa authentication list sslvpn

gateway MyGateway domain testvpn

max-users 100

inservice

!

pls help me out on this.

You don't need to configure loopback 10 with the same ip address as the SSL VPN termination ip address. Please remove loopback10 and see if that resolves the issue.

Also this ip address: x.x.x.164, is it being routed towards the 3945?

Hi Jennifer,

IP add x.x.x.164 been routed towards my router i have tested the same by login to the router from public.

removed loopback10 still no luck

any suggestion?

Can you share the router full config pls, and also are you able to telnet on port 443 from the outside towards the public ip?

Hi Jennifer,

i am able to telnet to 443 port from outside. If you have any working ssl vpn config on router pls share.

Here is a sample config:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml

Seems like you already got all the config configured.

Hi Jennifer,

I followed the same link to config. any suggestion?