Solved: SSL HTTPS connection from "outside" interface

robbo79871 · ‎01-06-2016

Hi, i'm trying to establish a HTTPS connection to my ASA from another "site" in packet tracer. I can ping across the sites and into the "inside" network of the other site but cannot HTTPS into the ASA or the web server itself also. Here is the config for the ASA that i want to HTTPS into:

hostname ASA2

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 30

!

interface Ethernet0/2

switchport access vlan 30

!

interface Ethernet0/3

switchport access vlan 30

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

!

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

!

webvpn

enable outside

enable inside

object network asa_inside_address

subnet 10.30.0.1 255.255.255.255

object network inside_network

subnet 10.30.0.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 172.16.30.1 1 <<<<<This is just to the router on the edge for the frame relay, everything works as far as connectivity goes anyway

!

access-list website_outside extended permit tcp any object asa_inside_address eq 443

access-list website_outside extended permit icmp any object asa_inside_address

access-list website_outside extended permit icmp any object inside_network

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0

!

access-group website_outside in interface outside

!

group-policy webvpn internal

group-policy webvpn attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list value test1

username bob password 4IncP7vTjpaba2aF encrypted

username bob attributes

vpn-group-policy webvpn

!

class-map inspect

match default-inspection-traffic

class-map test

class-map ssh

!

policy-map global

class inspect

inspect icmp

class test

!

service-policy global global

!

tunnel-group webvpn type remote-access

tunnel-group webvpn general-attributes

default-group-policy webvpn

!

And here is the config for the ASA on the other "site" with the PC behind it that i'm using HTTPS on:

hostname ASA1

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

switchport access vlan 20

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.20.2 255.255.255.0

!

interface Vlan20

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0

!

webvpn

enable

!

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

!

access-list test extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

!

access-group test in interface outside

!

class-map inspect

match default-inspection-traffic

!

policy-map global

class inspect

inspect icmp

!

service-policy global global

!

I would just like to point out that the HTTPS works on "ASA2" because I've tested it on the inside interface from a PC there and it all works. Its just connections from the "outside" that do not work

gaowen · ‎01-06-2016

Hi Rob,

your ACL on the first box will need:

access-list website_outside line 1 extended permit tcp any object inside_network eq 443

access-list website_outside line 1 extended permit tcp any host 172.16.30.2 eq 443

I think I'm right in saying you are tring to HTTPS to that outside interface address 172.16.30.2 and also through the box to the internal network object inside_network

Gareth

View solution in original post

gaowen · ‎01-06-2016

Hi Rob,

your ACL on the first box will need:

access-list website_outside line 1 extended permit tcp any object inside_network eq 443

access-list website_outside line 1 extended permit tcp any host 172.16.30.2 eq 443

I think I'm right in saying you are tring to HTTPS to that outside interface address 172.16.30.2 and also through the box to the internal network object inside_network

Gareth

robbo79871 · ‎01-07-2016

Hi

Thank you very much that worked perfectly.

Would the same kind of concept be applied to other examples such trying to SSH to the edge router and the edge router connecting to a radius server on the inside network? Would the ports or ACL need to enable a UDP connection on the OUTSIDE interface to and not just the inside one?

Many thanks

gaowen · ‎01-07-2016

Hi Rob,

yes for the SSH but no for the RADIUS, as RADIUS is initiated by the firewall itself (using relevant interface IP address).

If you had an outbound ACL on the inside interface then you'd need to let it through that. But you don't have one and it's best to keep it that way :p

Gareth

robbo79871 · ‎01-07-2016

Yeah i didnt see the point in an ACL for outbound traffic on the inside. I did have this ACL though:

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0

I thought that would enable the router to send the UDP radius traffic through the ASA to the appropriate address on the INSIDE interface.

It doesn't work though, it just comes up Login Invalid from PC's on the INSIDE as well, I'm not even talking about the OUTSIDE yet.

Would you have any suggestions on that?

Thanks again

Tried these 2 then and no luck

ASA2(config)#access-list website_outside extended permit udp any host 172.16.30.2 eq 1645

ASA2(config)#access-list website_outside extended permit udp any host 172.16.30.2

gaowen · ‎01-07-2016

do you mean firewall?

where is the RADIUS client and where is the server and what's their IP addresses?

robbo79871 · ‎01-07-2016

The client PC is on the INSIDE network and so is the AAA Radius server. The router that i want to SSH to is on the OUTSIDE interface.

Here is the router config for the radius server

!

radius-server host 10.30.0.11 auth-port 1645

radius-server key key

!

The AAA details are:

Client Name R1

Client IP 172.16.30.1

Key key

!

The client machine would be a 10.30.0.0/24 address.

I can ping the AAA server from the OUTSIDE interface also through part of the ACL's i have set up.

gaowen · ‎01-07-2016

are you doing dot1x? so your supplicant, authenticator and authentication server are all on the same LAN? It sounds like you need to figure out what your traffic flows are going to be, it's not an ACL issue

robbo79871 · ‎01-07-2016

As far as i'm aware, no. Sorry i'm not as experinced with configuring Radius servers.

So the ACL i have configured "access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0" would be enough for it to work?

The traffic flow would go like this:

!

Internal PC on the inside interface makes SSH connection

Past the OUTSIDE interface to the Router on the edge

The Router then tries to contact the AAA server on the INSIDE

The AAA server then sends the authentication response back to it

Then the router should send the response back to the INSIDE internal client.

!

I think I'm right in saying that but I'm not 100% because i haven't done AAA as much.

gaowen · ‎01-07-2016

okay well i'd set up a packet capture on the outside interface to check you're getting hits:

cap cap1 circular-buffer interface outside match ip any any

then do your thing with SSH

then

show cap cap1

look for your ssh packets leaving the interface and then your RADIUS packets coming in the other direction slightly after. Based on output from that I'd enable debugging on the router and/or the ACS.

Gareth

robbo79871 · ‎01-07-2016

Unfortunately packet tracer doesn't support those types of commands, i would have to move GNS3 to do that.

Any other way or is that really the only main step forward?

Thanks

gaowen · ‎01-07-2016

not sure, not familiar with the product. I'd move to GNS3 anyway it's worth the investment in time.