Solved: Access AnyConnect VPN from inside

d.draghici · ‎05-06-2011

Hello,

I have a ASA 5540+SSM-40 on which I have configured webvpn and it's listening for connections on the outside interface.

It can be accessed from outside the network (the internet) and works just fine. The problem is, I want to access it from inside the network as well but it doesn't work. I can't ping or connect in any way to the IP address of the outside interface from inside (so I suppose it's not strictly related to the configuration of the webvpn).

I don't think it's a ACL issue because the only ACL filtering I do is on the OUTSIDE-IN (facing the internet), the rest are set to permit any.

So can anyone please tell me what I have to do to be able to access the IP address of the outside interface from networks behind the inside interface?

Thanks,

Jennifer Halim · ‎06-24-2011

yes you can

Under webvpn configuration, just "enable inside" as well.

View solution in original post

d.draghici · ‎05-06-2011

Oh..and something strange...

I tried using the packet-tracer feature and used it to do a trace from a host inside to the web port on the outside interface and this is what it shows:

- 111.111.111.242 is the ip address of the outside interface

- 111.111.111.151 is the ip address of some host on the inside

These are public IP addresses, no NAT is done on the ASA

ASA# packet-tracer input inside tcp 111.111.111.151 1234 111.111.111.242 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 111.111.111.242 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So as far as I can tell it seems to be blocked by the ACL configured for out on the outside interface.

The thing is my ACLs are configured this way:

access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-OUT out interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside

But except for OUTSIDE-IN which is facing the internet and has various ACL lines...all the other ACLs only contain the line "extended permit ip any any"

So why is it saying an ACL is blocking?

d.draghici · ‎06-24-2011

anyone? any ideeas?

Jennifer Halim · ‎06-24-2011

You can't connect to WebVPN from the inside if you only enable WebVPN for the outside interface.

You won't be able to connect to the outside interface IP from the inside to connect to WebVPN.

If you want to access WebVPN from the inside, you would need to enable webvpn on the inside and access it via its inside interface ip address.

d.draghici · ‎06-24-2011

thanks for your answer.

but is it possible to enable it on both outside and inside interfaces at the same time?

Jennifer Halim · ‎06-24-2011

yes you can

Under webvpn configuration, just "enable inside" as well.