CISCO ASA5506-X AnyConnect could not access from outside

LorenzoYu12221 — Sun, 22 Mar 2020 21:42:31 GMT

I am setting up Any Connect on an ASA-5506-X. Our ISP provided a static IP address to its modem, and told us that if we connect ASA-5506-X to port#1 of the modem, the modem will be in pass-through mode that will not interfere with what we set up from ASA. The outside inferface of ASA-5506-X got an IP address "192.168.0.2" from the ISP's modem.

I set up AnyConnect via ASDM wizard, but I got the error message (see attached). I tried to connect to AnyConnect from client' workstation by entering ISP's static IP address (http://xx.xxx.xxx.xx) but could not access the AnyConnect logon page.

Below is my ASA configuration after removing all public IP address. I hope you can help me out with this AnyConnect issue.

: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname XXXX
enable password
names
ip local pool Any-Connect 192.168.1.120-192.168.1.130 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.50 255.255.255.255 inside_1
telnet 192.168.1.49 255.255.255.255 inside_1
telnet 192.168.1.48 255.255.255.255 inside_1
telnet 192.168.1.50 255.255.255.255 inside_2
telnet 192.168.1.49 255.255.255.255 inside_2
telnet 192.168.1.48 255.255.255.255 inside_2
telnet 192.168.1.50 255.255.255.255 inside_3
telnet 192.168.1.49 255.255.255.255 inside_3
telnet 192.168.1.48 255.255.255.255 inside_3
telnet 192.168.1.50 255.255.255.255 inside_4
telnet 192.168.1.49 255.255.255.255 inside_4
telnet 192.168.1.48 255.255.255.255 inside_4
telnet 192.168.1.50 255.255.255.255 inside_5
telnet 192.168.1.49 255.255.255.255 inside_5
telnet 192.168.1.48 255.255.255.255 inside_5
telnet 192.168.1.50 255.255.255.255 inside_6
telnet 192.168.1.49 255.255.255.255 inside_6
telnet 192.168.1.48 255.255.255.255 inside_6
telnet 192.168.1.50 255.255.255.255 inside_7
telnet 192.168.1.49 255.255.255.255 inside_7
telnet 192.168.1.48 255.255.255.255 inside_7
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.1.18 198.80.55.5
dhcpd auto_config outside
!
dhcpd address 192.168.1.51-192.168.1.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_Any-connect internal
group-policy GroupPolicy_Any-connect attributes
wins-server none
dns-server value 192.168.1.18
vpn-tunnel-protocol ssl-client
default-domain none
dynamic-access-policy-record DfltAccessPolicy
username olivia password $sha512$5000$JmMGT04rwICRpl+UcsCx9w==$V6CWBLv4wRg2LTGomvCSwg== pbkdf2
username admin password $sha512$5000$DW3jU9UqW05BG6yivW5Isw==$1zdMs4ae53W4/cQJdwSPMg== pbkdf2 privilege 15
tunnel-group Any-connect type remote-access
tunnel-group Any-connect general-attributes
address-pool Any-Connect
default-group-policy GroupPolicy_Any-connect
tunnel-group Any-connect webvpn-attributes
group-alias Any-connect enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ff18c8290b37dfad2d8d980835f9dc61
: end

Re: CISCO ASA5506-X AnyConnect could not access from outside

Rob Ingram — Sun, 22 Mar 2020 22:17:04 GMT

Hi,
Is the ISP router configured to port forward SSL/TLS (tcp/443) and DTLS (udp/443) to the ASA's outside interface IP address? If not you will have to configure this.

HTH

topic Re: CISCO ASA5506-X AnyConnect could not access from outside in Network Security

CISCO ASA5506-X AnyConnect could not access from outside

Re: CISCO ASA5506-X AnyConnect could not access from outside