Здравствуйте!
Есть задача сделать доступ извне к серверу 192.168.20.32 в локалке по https.
Перепробовал различные NAT, PAT, ничего не получается, при текущей настройке даже в логах ничего не появляется. На асе кроме этого настроен vpn сервер и ipsec туннели.

Подскажите в какую сторону думать чтобы придумать.

Конфига такая.

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 20
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 1111111111111111 encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Split_Tunnel_List remark N_lan
access-list Split_Tunnel_List standard permit 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.150.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.28.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list policy_nat_web1 extended permit ip host 192.168.20.32 any log
access-list policy_nat_web2 extended permit ip host 192.168.20.32 any
access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
access-list inbound_outside extended permit tcp any host x.x.x.x eq https log
access-list inbound_outside extended permit icmp any host x.x.x.x echo-reply
access-list inbound_outside extended permit icmp any host x.x.x.x echo
pager lines 24
logging enable
logging list My level debugging
logging buffer-size 40096
logging buffered My
logging trap My
logging asdm informational
logging debug-trace
mtu Outside 1500
mtu Inside 1500
ip local pool vpnpool 192.168.150.2-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
nat (Inside) 0 access-list nonat
static (Inside,Outside) x.x.x.x  access-list policy_nat_web1
access-group inbound_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.y 1
route Inside 192.168.15.0 255.255.255.0 192.168.20.1 1
route Inside 192.168.1.3 255.255.255.255 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server T3v1 protocol radius
accounting-mode simultaneous
aaa-server T3v1 host 192.168.20.12
timeout 7
key *
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 110 match address V_RC_net
crypto map outside_map 110 set peer z.z.z.z
crypto map outside_map 110 set transform-set ESP-AES-MD5
crypto map outside_map 110 set security-association lifetime seconds 28800
crypto map outside_map 1000 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp disconnect-notify
telnet 192.168.1.3 255.255.255.255 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy VPN_GP internal
group-policy VPN_GP attributes
dns-server value 192.168.20.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group VPN_GP type ipsec-ra
tunnel-group VPN_GP general-attributes
address-pool vpnpool
authentication-server-group T3v1
default-group-policy VPN_GP
tunnel-group VPN_GP ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 600 retry 2
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2696bcd6686cd68654dd3bbe8db6e276
: end