ASA5520     8.2(5)30

Greetings,

I have an IPSEC RA policy that's set up to tunnel all traffic (no split-tunnel) through the ASA (terminates on the outside interface).  I need to be able to allow thesesame VPN users to access one web page (hairpinning) on the outside interface.

++++++++++++++++++++++++++++++

Here are the current settings:

group-policy L-Admins internal

group-policy L_Admins attributes

wins-server value 172.16.0.33 172.16.0.9

dns-server value 172.16.0.33 172.16.0.9

vpn-idle-timeout 60

vpn-session-timeout 480

vpn-filter value l-admin-filter

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.33

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.255.252 host 172.16.0.9

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.4

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.1.2

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 10.24.0.0 255.252.0.0

     access-list l-admin-test-filter extended permit ip 172.30.4.0 255.255.252.252 host 172.16.0.233

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain value IHI.local

tunnel-group L_Admins type remote-access

tunnel-group L_Admins general-attributes

address-pool ili_global

authentication-server-group PhoneFactor

default-group-policy L_Admins

tunnel-group L_Admins ipsec-attributes

pre-shared-key *

++++++++++++++++++++++

Hairpinning is currently not enabled, so I assume I need to add:

same-security-traffic permit inter-interface

and (I assume)

ip local pool l_admins 172.30.4.1-172.30.4.2 mask 255.255.255.252

global (outside) 1 interface ***** PAT IP

nat (outside) 1 172.30.4.1-172.30.4.2 mask 255.255.255.252

But from here I don't know how to restrict access to a single external IP on the web over port 80.