Re: ASA anyconnect vpn client is uanble to ssh/http inside interface

Mohammed Ashraf Ali · ‎02-12-2023

Hello,

I have configured cisco ASA anyconnect ssl vpn and it is able to access internal network, The problem is the ssl vpn client is unable to access the inside interface of the ASA for management purpose (ssh/http). Even though the following configuration is done in ASA.

1. The inside interface subnet is mentioned in the split-tunnel acl.

2. The traffic from vpn client to the inside interface is allowed for http/ssh using ACL applied on outside interface.

3. (Management-access inside) command is applied

4. ssh <vpn client subnet> inside AND http <vpn client subnet> inside is applied in ASA.

5. The nat configuration ( nat (any,outside) source static any any destination static <vpn-subnet> <vpn-subnet> no-proxy-arp route-lookup) is applied

Could any one please suggest if anything is missing in my configuration , which could allow vpn client to access the ssh/http of inside ASA interface .

Regards,

Ali

balaji.bandi · ‎02-13-2023

Can you post the config to look : or refer the document below :

what logs you see when try to access HTTP or ssh ?

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mohammed Ashraf Ali · ‎02-14-2023

int gi0/0
nameif inside
sec 100
ip add 10.6.1.1 255.255.255.0

int gi0/1
nameif outside
sec 0
ip add 88.88.88.1 255.255.255.249

route outside 0.0.0.0 0.0.0.0 88.88.88.2
route outside 10.10.1.0 255.255.255.0 88.88.88.2

http server enable
http 17.16.1.0 255.255.255.0 inside
http 17.16.11.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside

ssh 17.16.1.0 255.255.255.0 inside
ssh 17.16.11.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 inside

management-access inside

object network 10.10.1.0
subnet 10.10.1.0 255.255.255.0

ip local pool VPN_Pool 10.10.1.1-10.10.1.200 mask 255.255.255.0

access-list VPN_Split_tunnel extended permit ip object-group ALL_Network object 10.10.1.0
access-list VPN_Split_tunnel extended permit tcp host 10.6.1.1 object 10.10.1.0

access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 443
access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 22
access-list outside_access_in extended permit ip object VPN_Pool object-group All_Network

access-group outside_access_in in interface outside

access-list DAP_Network_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 443
access-list DAP_Network_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 22
access-list DAP_Network_access_in extended permit ip object VPN_Pool object-group All_Network

username user1 password $sha512$5000$S4ViGn84NVQ==77k2n9HlE7Rig==pbkdf2
username user1 attributes
vpn-simultaneous-logins 1
vpn-framed-ip-address 10.10.1.1 255.255.255.0
service-type remote-access

dynamic-access-policy-record DAP_Network_Mgmt
description "Network Team"
network-acl DAP_Network_access_in
priority 40

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 4
anyconnect image disk0:/anyconnect-macos-4.6.00362-webdeploy-k9.pkg 5
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

group-policy Anyconnect internal
group-policy Anyconnect attributes
banner value Warning!
banner value This is a private system. Unauthorized access to or use of this system is strictly prohibited. By continuing, you acknowledge your awareness of and concurrence with the Logical Access Control Policy of TERM. All Access will be logged. Unauthorized access and illegal use of this system will be subject to criminal prosecution under the law and are subject to disciplinary action.
banner value Warning!
wins-server none
dns-server value 10.11.11.11 10.11.11.12
vpn-simultaneous-logins 1
vpn-idle-timeout 720
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_tunnel
default-domain value goc.gov.qa
webvpn
anyconnect profiles value AnyConnect_client_profile type user

tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool VPN_Pool
default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable

crypto ipsec ikev2 ipsec SSLVPN
protocol esp encryption aes-256
protocol esp integrity sha-256

cyrpto dynamic-map DMAP 10 set ikev2 ipsec SSLVPN
crypto dynamic-map DMAP 10 set reverse-route

crypto map MAP 100 ipsec dynamic DMAP
crypto map MAP interface outside

crypto ikev2 enable outside client port 443
crypto ikev2 remote trustpoint SSLVPN-TP

nat (any,outside) source static any any destination static 10.10.1.0 10.10.1.0 no-proxy-arp route-lookup

---------------------------------------------------------------
traffic log while trying for ssh (22)

<163>%ASA-3-710003: TCP access denied by ACL from 10.10.1.1/1144 to outside:10.6.1.1.1/22
<166>%ASA-6-110002: Failed to locate egress interface for TCP from outside:10.10.1.1/1144 to 10.6.1.1/22

traffic log while trying for ssh (443)

<166>%ASA-6-106102: access-list DAP_Network_Mgmt permitted tcp for user 'user1' outside/10.10.1.1(1160) -> identity/10.6.1.1(443) hit-cnt 1 first hit [0x7dcb3524, 0xe93914dd]
<166>%ASA-6-110002: Failed to locate egress interface for TCP from outside:10.10.1.1/1160 to 10.6.1.1/443

MHM Cisco World · ‎02-14-2023

http 10.10.1.0 255.255.255.0 outside <<- add this and try http

MHM Cisco World · ‎02-13-2023

Configure AnyConnect Management VPN Tunnel on ASA - Cisco

Mohammed Ashraf Ali · ‎02-14-2023

i have attached the configuration

please look in to it , and provide a solution.

Regards,

Ali

Sheraz.Salim · ‎02-14-2023

try remove these acls and check if you able to connect

no access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 443
no access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 22
no access-list outside_access_in extended permit ip object VPN_Pool object-group All_Network

no access-group outside_access_in in interface outside

!

put this command in too same-security-traffic permit inter-interface

please do not forget to rate.

Mohammed Ashraf Ali · ‎02-14-2023

"no sysopt connection permit-vpn" is configured in the ASA so we need an ACL on outside interface allowing the traffic.

Sheraz.Salim · ‎02-14-2023

could you please provide the full configuration of your firewall. as I do not see the vpn-filter applied into your group-policy. you can hide the public ip address/es and the username and any sensitive information

please do not forget to rate.

Mohammed Ashraf Ali · ‎02-14-2023

As you can see in the above configuration there is no vpn-filter applied in the group-policy.

Instead , there is ACL on the outside interface allowing traffic from vpn pool to the inside interface other internal resources

and there is an Dynamic acl , which is allowing the same. above all i can access the internal resources residing behind inside interface.

and there are hits on the ACL assigned on the outside interface while accessing the internal resources , but no hits for the iinside interface access.

i feel like , the issue is not related to ACL

Sheraz.Salim · ‎02-14-2023

if you have configured the command "no sysopt connection permit-vpn" in that case you must have to apply the command "vpn-filter".

otherwise the tunnel traffic wont work.

sorry let me edit:

you have applied the "no sysopt connection permit-vpn". therefore you have to specified the ACL in order to control the protocol what is allowed and what is not. That fine.

I think if you want more control that you can apply vpn-filter command. as with no sysopt even you have ACL applied you should be able to connect but you are not. with VPN-Filter you can be more specific in the tunnel what is needed and what is not.

I suggest you to capture the ASP drop and see why traffic is dropping.

please do not forget to rate.

Mohammed Ashraf Ali · ‎02-14-2023

is there any document or referece you can provide , which says , if no sysopt connection permit-vpn is applied in ASA then you must use vpn-filter in group-policy to allow the traffic from vpn client to the inside interface (ssh/http).

Just for your information the ASA is running 9.8.2 version

Sheraz.Salim · ‎02-14-2023

@Mohammed Ashraf Ali You have jog my memory I read in cisco documentation you can apply ACL for tunnels. let me find out the documentation for you.

"Decrypted through-traffic is permitted from the client despite having an access group on the outside interface, which calls a deny ip any any ACL, while no sysopt connection permit-vpn is configured.

Trying to control access to the protected network via site-to-site or remote access VPN using the no sysopt permit-vpn command in conjunction with an access control list (ACL) on the outside interface are not successful."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html

Please do not forget to rate the post

please do not forget to rate.