topic Re: Cisco ASA in Network Security

Cisco ASA

chris.bias — Wed, 09 Mar 2022 14:20:25 GMT

I have a Cisco ASA 5516-X with a new interface that I am setting up for Cisco AnyConnect. I have gone through the AnyConnect VPN Wizard but I am not able to get to the IP address that I have configured (12.190.109.100) from outside but I can ping it from the ASA CLI. I don't believe it is a firewall issue but any advice would be great.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 14:25:23 GMT

@chris.biasso you've configured a new outside interface? Does that mean you have multiple outside interfaces?

Can you provide the running configuration please, it will make it easier to identify the issue.

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 15:07:24 GMT

Yes we have two outside interfaces one named outside and the other anyconnect.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 15:13:24 GMT

@chris.bias your default route is via the interface Gig1/1 (outside), so return traffic will go out that interface. You'd have to enable VPN on that outside interface.

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 15:17:36 GMT

When I try to enable it on the outside interface it gives me this error:

[OK] webvpn
webvpn
[ERROR] enable outside
Port 443 on outside can not be configured due to conflict

[OK] no enable anyconnect

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 15:20:42 GMT

@chris.bias you've got a static NAT for tcp/443 on that outside interface, so you cannot enable RAVPN on tcp/443 when that NAT is configured. Change the NAT from the interface IP address to a dedicated NAT ip address.

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 15:34:03 GMT

I apologize this is where I am new to ASA configs but how would I go about that? This is a production system so I want to be careful not to take down other centers.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 15:38:21 GMT

@chris.bias well you will have to plan this change, as obviously the clients will have to connect to a different public IP address instead of the ASA's outside interface IP address. Hopefully the users connect to an FQDN, so you can just change the DNS entry?

Example NAT rule below using a spare public IP address. Replace the private and public IP addresses to match your environment.

object network WEBSVR
 host 172.16.1.1
 nat (INSIDE,OUTSIDE) static 1.2.3.4 service tcp 443 443

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 15:52:48 GMT

Right now this is used to connect other sites using the site to site vpn so they use the inside IP address and use a IKEv key that connects to a Sonicwall device.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 15:57:27 GMT

@chris.bias I don't understand your last comment. tcp/443 isn't going to be used for S2S VPN. In short if you want to enable AnyConnect RAVPN on your ASA, it has to be on an outside interface. For you to do that, you have to remove your NAT rule, as it's translating https behind the outside interface.

object network int_zvm_443
nat (inside,outside) static interface service tcp https https

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 17:18:55 GMT

It appears that one NAT is using that interface and we would lose another system.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 17:23:35 GMT

@chris.bias correct, that has been what I've been saying.

If you cannot change that system, then consider using IKEv2/IPSec VPN instead of SSL-VPN or enable SSL VPN on a port other than tcp/443.

Re: Cisco ASA

chris.bias — Wed, 09 Mar 2022 17:49:59 GMT

Okay so I changed the port on the SSL VPN and everything looks like it is working now. Just need to get it working with LDAP to communicate with our AD system.

Re: Cisco ASA

Rob Ingram — Wed, 09 Mar 2022 17:58:36 GMT

@chris.bias ok, refer to this guide to setup RAVPN with LDAP.