02-08-2014 08:03 PM - edited 03-04-2019 10:17 PM
Hello,
I have CISCO ASA 5515-X -- ASA Version 8.6(1)2
I have block of 5 IP address and want to use these with my device.
Business wise, the router servers a public website on port 80 and 443. Since 443 is in use for the site, it MUST forward to our load balances. Hence the multiple IP address to use for the VPN (anyconnect) since we prefer not to change the port for our outside clients accessing it.
Our web site is configured and works great. We have failover ISP setup as well on outside-backup interface.
However, I am unable to get the VPN to work properly. I did setup a NAT rule to allow the VPN ip address to pass through on "original" IP and port and gave it precedence so it wouldnt be forwarded to the load balances. THis works but the access rules keep denying it (visible in realtime logging). What am i missing? I am configuring via ASDM.
Below is the relevant configuration. i removed the password info and the left 2 parts of each public IP. We did make an attempt at an object group AnyConnect2 to try to allow access but it doesnt seem to accept that. Please assist.
Thanks,
/Z
!
ASA Version 8.6(1)2
!
hostname VPNNAME
domain-name ****.com
enable password **** encrypted
passwd **** encrypted
names
!
interface GigabitEthernet0/0
description "Link to ISP (cablevision)"
nameif outside
security-level 0
ip address A.B.157.146 255.255.255.248
!
interface GigabitEthernet0/1
description "Link to ISP (verizon)"
nameif outside-backup
security-level 0
ip address 192.168.2.29 255.255.255.0
!
interface GigabitEthernet0/2
description Link to Inside
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
object network HTPAP03
host 10.1.0.4
description HTPAP03
object service http
service tcp source eq www destination eq www
description http
object service https
service tcp source eq https destination eq https
description https
object network Gateway
host A.B.157.145
description CableVision Router Gateway
object network HTPDC01
host 10.1.0.3
description HTPDC01
object network HTPAP01
host 10.1.0.22
description HTPAP01
object network HTPDC02
host 10.1.0.21
description HTPDC02
object network HTPDB02
host 10.1.0.5
description HTPDB02
object network HTPLB02
host 10.1.0.17
description HTPLB02
object network CablevisionPublicIP
host A.B.157.146
description Cablevision Public IP
object network GatewayVerizon
host 192.168.2.1
description Verizon Router Gateway
object network virtualObj
host 192.168.2.27
description virtualObj
object network VerizonPublicIP
host C.D.113.79
description Verizon Public IP
object network NETWORK_OBJ_10.1.0.0_24
subnet 10.1.0.0 255.255.255.0
object network dr-network
subnet 192.168.1.0 255.255.255.0
description DR Site
object network dr-vpn
host E.F.24.108
description DR VPN Appliance
object service RDP
service tcp source eq 3389 destination eq 3389
description RDP
object network AnyConnectVPN
host A.B.157.148
description AnyConnect VPN
object network CablevisionSiteToSiteVPN
host A.B.157.147
description Cablevision Site to Site VPN
object network CablevisionIps
subnet A.B.157.144 255.255.255.248
description Cablevision IPs
object network router
host 10.1.0.1
object-group service RDP2 tcp
description RDP2
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
object-group service DM_INLINE_SERVICE_1
service-object object http
service-object object https
service-object tcp
object-group service AnyConnect2 tcp
description AnyConnect2
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in_1 remark load balancer
access-list outside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any any object-group AnyConnect2 inactive
access-list outside_access_in_1 extended permit ip any any inactive
access-list inside_access_in remark load balancer
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list htvpn standard permit 10.1.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.1.0.0 255.255.255.0 object dr-network
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu outside-backup 1500
mtu management 1500
mtu inside 1500
ip local pool htvpnpool 10.1.0.100-10.1.0.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any any destination static interface HTPLB02 unidirectional description External Access to Load Balancers
nat (inside,outside) source dynamic any interface
nat (inside,outside-backup) source dynamic any interface
nat (outside-backup,inside) source static any any destination static virtualObj HTPLB02 unidirectional
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface outside-backup
route outside 0.0.0.0 0.0.0.0 A.B.157.145 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 192.168.2.1 254 track 3
02-08-2014 10:27 PM
Hello.
You could use object NAT to build translations:
object network LB_PUBLIC
host A.B.157.148
object network LB_PRIVATE
host 10.1.0.148
nat (inside,outside) static LB_PUBLIC service tcp 443 443
For VPN I would configute static NAT (without port, as it might be using IPSec):
object network AnyConnectVPN_PUBLIC
host A.B.157.147
object network AnyConnectVPN_PRIVATE
host 10.1.0.147
nat (inside,outside) static AnyConnectVPN_PUBLIC
To allow inbound connections , you need to configure ACL:
access-list outside_access_in_1 extended permit tcp any object-group AnyConnectVPN_PRIVATE eq 443
access-list outside_access_in_1 extended permit tcp any object-group LB_PRIVATE eq 443
If VPN is using IPSec, you eneed to enable inbound udp 500,4500 and esp.
PS: are you using EzVPN or SSL VPN (with AnyConnect)? Are you sure clients are using HTTPS only and not IPSec?
02-09-2014 10:20 AM
I made the changes to the NAT and the access list. Now when i connect, i can see a valid connection via the realtime monitoring show up. It shows that it built inbound TCP oconnection for outside to inside and it has all the proper addresses (nat'ed) but the VPN connection via anyconnect fails with a timeout.
Now that I have it NAT'ed to the internal IP, what do i need to do to make the VPN work? I checked my profiles and it appears setup properly. I have allowed access and enable DTLS for all the interfaces.
/Z
02-09-2014 10:28 PM
Hello.
Could you please clarify what VPN type are you using: EasyVPN, L2TP, PPTP, WebSSL and etc.?!
If it's Easy VPN, then what encapsulation: ESP-only, UDP, TCP ?
If it's WebSSL (https only on port 443), then I guess it should work.
02-10-2014 06:44 AM
Same person. just changed the username.
Should be PPTP. I will be also setting up a site-to-site VPN after i get the remote VPN working.
Thanks,
/Z
02-11-2014 12:38 AM
Hello.
If you are building IPSec and all kind of VPN, it could be a good idea to enable all the traffic to the internal VPN-hub; after you make it work fine, you will harden your security.
So, instead of
access-list outside_access_in_1 extended permit tcp any object-group AnyConnectVPN_PRIVATE eq 443
use
access-list outside_access_in_1 extended permit ip any object-group AnyConnectVPN_PRIVATE
PS: by the way, I would suggest you not to put your VPN-Hub over NAT, as it could hit you one day; I would suggest to assign dedicated public IP-address to the VPN-hub and put it into DMZ.
02-11-2014 08:51 PM
Wow! This just isnt working.
I got rid of everything and started from scratch.
1. I created a self sign cert
2. using anyconnect vpn wizard, selected the cert
3. created vpnpool of internal IPs (10 ips) out of the range so no overlap
4. saved it
then i connected via my public ip (first in block) A.B.157.146 AND it connects! only to fail authentication since it was forwarded to my load balancer via my NAT rule. That is good so we are on the right track.
Now i tried to connect from A.B.157.148 IP and nothing happens. Nothing in the realtime logs.
So i add the NAT rule now.
//incoming
nat (outside, any) source static any any destination static AnyConnect AnyConnectPrivate
//network access for vpn clients
nat (inside,outside) source static any any destination static NETWORK_OBJ_XYZ no-proxy-arp route-lookup
Now i see it showing in the realtime logs! but it is denied
So now i add the Access Rule to allow it
access-list outside_access_in_1 extended permit ip any object AnyConnectVPN_PRIVATE
but it is always rejected.
Any suggestions? it is close and would work off the primary IP, why doesnt it work off any IP in the block? I did configure the outside interface properly with 255.255.255.248
/Z
02-16-2014 05:58 PM
Any other suggestions on this?
/Z
02-16-2014 11:25 PM
Hello.
To configure NAT please folow the configuration:
object network AnyConnectVPN_PUBLIC
host A.B.157.147
object network AnyConnectVPN_PRIVATE
host 10.1.0.147
nat (inside,outside) static AnyConnectVPN_PUBLIC
To allow inbound connections , you need to configure ACL:
access-list outside_access_in_1 extended permit ip any object-group AnyConnectVPN_PRIVATE
PS: please remove all other unneccessary NAT traslations.
03-29-2014 08:48 PM
Sorry for the delay in response. i was tied up in another project.
I made the changes as you suggested. I NAT'ed from public ( A.B.157.148) to private (10.1.0.148)
I then ACL'ed the private IP.
I attempted to connect to VPN and i can see the valid connect and NAT on the real time logging so that is a very positive step forward. However, Anyconnect VPN still times out trying to connect. How do i tell the cisco appliance to use the private IP for the VPN? i am missing something there.
Thanks,
/Z
03-31-2014 12:12 AM
Hello.
It might be an issue with your AnyConnect configuration.
What is the device you are using and could you provide your running configuration for AnyConnect?
03-31-2014 06:12 AM
I ended up to solve it. Not sure why it didnt work previously.
I have 5 IPs in a block.
A.B.157.146 is first and this was also the webapp. A.B.157.148 was for the VPN. Since i was able to NAT properly, i moved the webapp to A.B.157.148 (needs NAT) and the VPN to A.B.157.146 (no NAT) and it worked perfectly
Feel free to explain why :)
/Z
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide