cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2012
Views
0
Helpful
5
Replies
Beginner

Access AnyConnect VPN from inside

Hello,

I have a ASA 5540+SSM-40 on which I have configured webvpn and it's listening for connections on the outside interface.

It can be accessed from outside the network (the internet) and works just fine. The problem is, I want to access it from inside the network as well but it doesn't work. I can't ping or connect in any way to the IP address of the outside interface from inside (so I suppose it's not strictly related to the configuration of the webvpn).

I don't think it's a ACL issue because the only ACL filtering I do is on the OUTSIDE-IN (facing the internet), the rest are set to permit any.

So can anyone please tell me what I have to do to be able to access the IP address of the outside interface from networks behind the inside interface?

Thanks,

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Access AnyConnect VPN from inside

yes you can

Under webvpn configuration, just "enable inside" as well.

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Re: Access AnyConnect VPN from inside

Oh..and something strange...

I tried using the packet-tracer feature and used it to do a trace from a host inside to the web port on the outside interface and this is what it shows:

- 111.111.111.242 is the ip address of the outside interface

- 111.111.111.151 is the ip address of some host on the inside

These are public IP addresses, no NAT is done on the ASA

ASA# packet-tracer input inside tcp 111.111.111.151 1234 111.111.111.242 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   111.111.111.242 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So as far as I can tell it seems to be blocked by the ACL configured for out on the outside interface.

The thing is my ACLs are configured this way:

access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-OUT out interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside

But except for OUTSIDE-IN which is facing the internet and has various ACL lines...all the other ACLs only contain the line "extended permit ip any any"

So why is it saying an ACL is blocking?

Highlighted
Beginner

Access AnyConnect VPN from inside

anyone? any ideeas?

Highlighted
Cisco Employee

Access AnyConnect VPN from inside

You can't connect to WebVPN from the inside if you only enable WebVPN for the outside interface.

You won't be able to connect to the outside interface IP from the inside to connect to WebVPN.

If you want to access WebVPN from the inside, you would need to enable webvpn on the inside and access it via its inside interface ip address.

Highlighted
Beginner

Access AnyConnect VPN from inside

thanks for your answer.

but is it possible to enable it on both outside and inside interfaces at the same time?

Highlighted
Cisco Employee

Access AnyConnect VPN from inside

yes you can

Under webvpn configuration, just "enable inside" as well.

View solution in original post