I have a ASA 5540+SSM-40 on which I have configured webvpn and it's listening for connections on the outside interface.
It can be accessed from outside the network (the internet) and works just fine. The problem is, I want to access it from inside the network as well but it doesn't work. I can't ping or connect in any way to the IP address of the outside interface from inside (so I suppose it's not strictly related to the configuration of the webvpn).
I don't think it's a ACL issue because the only ACL filtering I do is on the OUTSIDE-IN (facing the internet), the rest are set to permit any.
So can anyone please tell me what I have to do to be able to access the IP address of the outside interface from networks behind the inside interface?
Solved! Go to Solution.
Oh..and something strange...
I tried using the packet-tracer feature and used it to do a trace from a host inside to the web port on the outside interface and this is what it shows:
- 188.8.131.52 is the ip address of the outside interface
- 184.108.40.206 is the ip address of some host on the inside
These are public IP addresses, no NAT is done on the ASA
ASA# packet-tracer input inside tcp 220.127.116.11 1234 18.104.22.168 80
MAC Access list
in 22.214.171.124 255.255.255.255 identity
output-interface: NP Identity Ifc
Drop-reason: (acl-drop) Flow is denied by configured rule
So as far as I can tell it seems to be blocked by the ACL configured for out on the outside interface.
The thing is my ACLs are configured this way:
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-OUT out interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside
But except for OUTSIDE-IN which is facing the internet and has various ACL lines...all the other ACLs only contain the line "extended permit ip any any"
So why is it saying an ACL is blocking?
You can't connect to WebVPN from the inside if you only enable WebVPN for the outside interface.
You won't be able to connect to the outside interface IP from the inside to connect to WebVPN.
If you want to access WebVPN from the inside, you would need to enable webvpn on the inside and access it via its inside interface ip address.