Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this case of the cisco asa interface, should it be outside or inside interface that requires to configure? How about the NAT exempted setup for cisco anyconnect?
ASA remote access SSL VPN when the ASA outside interface is behind another ASA firewall that is NAT'd the address. As long as the second firewall is allowing TCP/443 (SSL it should work as expected.
Interenet -- ASA (external)----Outside(ASA - remote VPN)
IPsec VPN a few more ports are required (udp/500 and 4500 typically).
*** Rate All Helpful Responses ***
How about can i configure inside interface as VPN interface access instead because of the current VPN concentrator(other product) using the internal interface.
@wayne loh You have to terminate the VPN on the interface traffic is coming in on, regardless of it's actual name. Usually it's the outside interface.
You only need NAT exemption if you have other NAT rules that might unintentially NAT the traffic. So if you have other NAT rules, then yes you need NAT exemption rules. Provide your configuration if unsure.
From your diagram your intention is to use one interface on the ASA and route traffic to the internal network back via the same interface?
If you are intending to use SSL-VPN then on the upstream firewall, also permit DTLS (udp/443).