I have been experimenting with the Cisco WebVPN, and it has me a bit confused. I am using reflexive access lists and whenever I make a web request over the WebVPN, the return traffic is denied. I'm not sure why. Here is an excerpt of my config file:
interface FastEthernet4 description Unprotected interface, facing towards Internet ip address dhcp ip access-group InternetIn in ip access-group InternetOut out no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip flow ingress ip multicast boundary 30 ip nat outside ip virtual-reassembly duplex auto speed auto
ip access-list extended InternetIn evaluate InternetOutPackets
ip access-list extended InternetOut permit tcp any any eq www reflect InternetOutPackets timeout 300 permit tcp any any eq 443 reflect InternetOutPackets timeout 300
If the full config log is required, let me know and I can sanitize it before posting. Anyhow, when I make a web request via the WebVPN portal, to say yahoo.com, I receive the following message:*Jan 3 01:03:01.235 EST: %SEC-6-IPACCESSLOGP: list InternetIn denied tcp 220.127.116.11(80) (FastEthernet4 001d.70af.aee2) -> 67.163.xx.xx(21481), 1 packet
I don't know why, but it appears as if any requests made via the WebVPN do not create the corresponding reflexive ACL.
Also, as an aside, will the WebVPN work on both Linux and Windows computers? As far as I can tell, it should, I just haven't been able to test this yet.