Solved: Re: Cisco ASA

chris.bias · ‎03-09-2022

I have a Cisco ASA 5516-X with a new interface that I am setting up for Cisco AnyConnect. I have gone through the AnyConnect VPN Wizard but I am not able to get to the IP address that I have configured (12.190.109.100) from outside but I can ping it from the ASA CLI. I don't believe it is a firewall issue but any advice would be great.

Rob Ingram · ‎03-09-2022

@chris.bias correct, that has been what I've been saying.

If you cannot change that system, then consider using IKEv2/IPSec VPN instead of SSL-VPN or enable SSL VPN on a port other than tcp/443.

View solution in original post

Rob Ingram · ‎03-09-2022

@chris.biasso you've configured a new outside interface? Does that mean you have multiple outside interfaces?

Can you provide the running configuration please, it will make it easier to identify the issue.

chris.bias · ‎03-09-2022

Yes we have two outside interfaces one named outside and the other anyconnect.

Rob Ingram · ‎03-09-2022

@chris.bias your default route is via the interface Gig1/1 (outside), so return traffic will go out that interface. You'd have to enable VPN on that outside interface.

chris.bias · ‎03-09-2022

When I try to enable it on the outside interface it gives me this error:

[OK] webvpn
webvpn
[ERROR] enable outside
Port 443 on outside can not be configured due to conflict

[OK] no enable anyconnect

Rob Ingram · ‎03-09-2022

@chris.bias you've got a static NAT for tcp/443 on that outside interface, so you cannot enable RAVPN on tcp/443 when that NAT is configured. Change the NAT from the interface IP address to a dedicated NAT ip address.

chris.bias · ‎03-09-2022

I apologize this is where I am new to ASA configs but how would I go about that? This is a production system so I want to be careful not to take down other centers.

Rob Ingram · ‎03-09-2022

@chris.bias well you will have to plan this change, as obviously the clients will have to connect to a different public IP address instead of the ASA's outside interface IP address. Hopefully the users connect to an FQDN, so you can just change the DNS entry?

Example NAT rule below using a spare public IP address. Replace the private and public IP addresses to match your environment.

object network WEBSVR
 host 172.16.1.1
 nat (INSIDE,OUTSIDE) static 1.2.3.4 service tcp 443 443

chris.bias · ‎03-09-2022

Right now this is used to connect other sites using the site to site vpn so they use the inside IP address and use a IKEv key that connects to a Sonicwall device.

Rob Ingram · ‎03-09-2022

@chris.bias I don't understand your last comment. tcp/443 isn't going to be used for S2S VPN. In short if you want to enable AnyConnect RAVPN on your ASA, it has to be on an outside interface. For you to do that, you have to remove your NAT rule, as it's translating https behind the outside interface.

object network int_zvm_443
nat (inside,outside) static interface service tcp https https

chris.bias · ‎03-09-2022

It appears that one NAT is using that interface and we would lose another system.

Rob Ingram · ‎03-09-2022

@chris.bias correct, that has been what I've been saying.

If you cannot change that system, then consider using IKEv2/IPSec VPN instead of SSL-VPN or enable SSL VPN on a port other than tcp/443.

chris.bias · ‎03-09-2022

Okay so I changed the port on the SSL VPN and everything looks like it is working now. Just need to get it working with LDAP to communicate with our AD system.

Rob Ingram · ‎03-09-2022

@chris.bias ok, refer to this guide to setup RAVPN with LDAP.