Cisco ASA 5505 AnyConnect and SSL Web Server

wbartholomew · ‎02-06-2013

I have a cisco ASA configured for AnyConnect clients. I also want to pass 443 traffic back to an internal web server, but not sure if I can do this since the AnyConnect clients are already connecting over 443 to the ASA, right?

Jouni Forss · ‎02-06-2013

Hi,

You can change the port used for the AnyConnect. Also you can change the port visible to "outside" for the actual server though I would assume that not really a desirable solution in this case.

You could for example change the VPN port tcp/444 or something similiar.

If you try to do Port Forward / Static PAT using the "outside" interface and port TCP/443 you should get a warning like this

ERROR: NAT unable to reserve ports.

Then theres ofcourse option of getting an extra public IP address for the server. Though I'd assume this is out of the question in the current situation?

- Jouni

wbartholomew · ‎02-06-2013

I do have a second public IP address available for use. Just not sure how to configure the ASA to use it.

Jouni Forss · ‎02-06-2013

Hi,

Whats the ASA software version you are using?

This can be shown with the command "show version" on the CLI. On the ASDM side it should be visible right on the main windows along other information on your device.

If you can provide the following information

ASA software level
local ip of server
public IP available (not used at the moment)
source and destination interface names on the ASA for the NAT (for example "inside" and "outside")
Your ACL name that is attached to the interface towards Internet
etc

- Jouni

Jouni Forss · ‎02-06-2013

Just to give you the basic configuration format for Static NAT and ACL rule to allow the traffic TCP/443

They would be the following for the different software levels

ASA Software 8.2 and below

static (inside,outside) netmask 255.255.255.255 dns

access-list OUTSIDE-IN permit tcp any host eq 443

access-group OUTSIDE-IN in interface outside

ASA Software 8.3 and after

object network WEB-SERVER

host

nat (inside,outside) static dns

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 443

access-group OUTSIDE-IN in interface outside

The actual configuration format in both cases ofcourse depends on your current firewall configurations

- Jouni

wbartholomew · ‎02-06-2013

ASA software version is 9.1(1)

Local IP is 192.168.100.145

Public IP let's say is 98.138.200.111

Source/Destination = inside, outside

Access-List = outside_access_in

Jouni Forss · ‎02-06-2013

Hi,

Configuration would in that case be

object network WEB-SERVER

host 192.168.100.145

nat (inside,outside) static 98.138.200.111 dns

access-list outside_access_in permit tcp any object WEB-SERVER eq 443

This should work unless there is some conflicting NAT rule etc.

The "object network" name can be anything you like. Doesnt naturally have to be the one above. Just used it for examples sake.

- Jouni

wbartholomew · ‎02-06-2013

Thank you very much. I'll give it try and report back!

Jouni Forss · ‎02-06-2013

Also,

To test the NAT configuration you can use the "packet-tracer" command on the ASA CLI or ASDM

The CLI format for the command could be

packet-tracer input outside tcp 1.2.3.4 1234 98.138.200.111 443

This should give you a (possibly long) output of how ASA would handle such traffic if it entered the "outside" interface.

If the NAT configuration doesnt work, the above commands output should tell us where the problem is.

- Jouni