Solved: If you connect using AC VPN

mahesh18 · ‎04-13-2014

Hi Everyone,

I am using two public IP for my home network via Bridged Modem

Setup

Router Switch Modem

ASA Switch Modem

Both Router and ASA have public IPs and are on separate network.

Outside interface of ASA has no ACL to permit any traffic on port 443.

When i connect from Network behind Router via https//ASA public IP anyconnect works fine

Need to know how connection on port 443 of outside interface of ASA is working without permit ACL?

Regards

Mahesh

Rudy Sanjoko · ‎04-14-2014

From what I understand, ACL on ASA outside interface is normally used to allow traffic going through the ASA, from lower to higher security level not to the ASA itself. If you try to access port 443 on a device behind the ASA, I believe it will be denied if you don't have the ACL configured.

The reason that you can connect to ASA on port 443 probably is because you have http and http server enable commands configured on the ASA.

View solution in original post

Rudy Sanjoko · ‎04-16-2014

That's not correct. You do need to open the port for 443 and 500 on the ASA, otherwise AC or VPN Client will not be able to establish a connection to the ASA. But you are not opening them using ACL.

By configuring crypto ikev1 enable command, you enable port 500 on ASA as IKE is using port 500 to communicate. The same as AC, you use the webvpn command. The different is that you can also enable port 443 using http server enable command on the ASA.

Please rate helpful comments/answers.

View solution in original post

Rudy Sanjoko · ‎04-14-2014

From what I understand, ACL on ASA outside interface is normally used to allow traffic going through the ASA, from lower to higher security level not to the ASA itself. If you try to access port 443 on a device behind the ASA, I believe it will be denied if you don't have the ACL configured.

The reason that you can connect to ASA on port 443 probably is because you have http and http server enable commands configured on the ASA.

mahesh18 · ‎04-14-2014

Hi Rudy,

Yes i have http server configured so that i can access ir from outside.

Also when i use VPN ipsec client i am able to connect on port TCP 10000 even though ASA outside

interface is not allowing anything?

Regards

MAhesh

Rudy Sanjoko · ‎04-15-2014

Hi, when you say that you are able to connect on port 10000, do you mean you can connect to ASA or to a device behind ASA? And is this after you successfully connected via VPN?

mahesh18 · ‎04-15-2014

Hi Rudy,

When i say i connect via VPN IPSEC client i mean i connect to ASA itself not to any device

behind ASA.

Also when i do sh conn on ASA it does not show any ports used by VPN IPSEC.

Regards

MAhesh

Rudy Sanjoko · ‎04-16-2014

If you connect using AC VPN client, you are connecting to port 443 as AC VPN client is using SSL for connection. Here is an example:

ASA# show asp table socket

Protocol Socket Local Address Foreign Address State
---- <output omitted> ----
TCP 00268688 b.b.b.b:22 a.a.a.a:62640 ESTAB
SSL 00278f48 b.b.b.b:443 a.a.a.a:64909 ESTAB
SSL 0027e738 b.b.b.b:443 a.a.a.a:57641 ESTAB
SSL 00285998 b.b.b.b:443 a.a.a.a:61188 ESTAB
SSL 00291168 b.b.b.b:443 a.a.a.a:27885 ESTAB
SSL 002a1628 b.b.b.b:443 a.a.a.a:62408 ESTAB
ASA#
ASA# show conn all
6 in use, 224 most used
TCP outside a.a.a.a:64603 NP Identity Ifc b.b.b.b:443, idle 0:00:18, bytes 2958, flags UOB
TCP outside a.a.a.a:54098 NP Identity Ifc b.b.b.b:443, idle 0:00:30, bytes 9338, flags UOB
TCP outside a.a.a.a:37676 NP Identity Ifc b.b.b.b:443, idle 0:00:35, bytes 1609, flags UOB
TCP outside a.a.a.a:57829 NP Identity Ifc b.b.b.b:443, idle 0:00:35, bytes 1257, flags UOB
UDP outside a.a.a.a:23174 NP Identity Ifc b.b.b.b:4500, idle 0:01:37, bytes 453, flags -
TCP outside a.a.a.a:62640 NP Identity Ifc b.b.b.b:22, idle 0:00:00, bytes 59676, flags UOB

If you connect using old Cisco VPN client, you are connecting to port 500 as Cisco VPN client is using IPSEC for connection. Here is an example:

ASA# show conn all
3 in use, 224 most used
UDP outside a.a.a.a:15388 NP Identity Ifc b.b.b.b:4500, idle 0:00:13, bytes 2594, flags -
UDP outside a.a.a.a:54950 NP Identity Ifc b.b.b.b:500, idle 0:00:55, bytes 1317, flags -
TCP outside a.a.a.a:62640 NP Identity Ifc b.b.b.b:22, idle 0:00:00, bytes 106888, flags UOB

Above are standard default ports for VPN clients. So you shouldn't be connected to port 10000 on ASA unless you changed the default ports value.

HTH,

mahesh18 · ‎04-16-2014

Hi Rudy,

I got the same output as per your reply.

So does this proves that when we do VPN or Anyconnect to ASA itself then

we do not need to open VPN ports on outside interface of ASA as that traffic

is destined for ASA itself right?

Best Regards

Mahesh

Rudy Sanjoko · ‎04-16-2014

That's not correct. You do need to open the port for 443 and 500 on the ASA, otherwise AC or VPN Client will not be able to establish a connection to the ASA. But you are not opening them using ACL.

By configuring crypto ikev1 enable command, you enable port 500 on ASA as IKE is using port 500 to communicate. The same as AC, you use the webvpn command. The different is that you can also enable port 443 using http server enable command on the ASA.

Please rate helpful comments/answers.

mahesh18 · ‎04-16-2014

So learn something new today.

Thanks for answering all the posts.

Best Regards

Mahesh

Rudy Sanjoko · ‎04-16-2014

You are welcome, thank you for the rates.

Bridged Modem and ASA with Public IP