Solved: Re: [URGENT] ASA cannot recieve 443 connections - AnyConnect Portal

secretAlpaca · ‎04-19-2020

Cisco ASA 5520 is throwing this error whenever someone tries to access it from WAN to connect to the webportal to download the AnyConnect client, webpage, does work locally, this uses a secondary internet connection only for this connection, It's connected into the ISP Bridged output.

Connection arrives, then says routing failed, and I am stuck, I've had this problem before but don't know how I fixed,

This is the ACL and yes this vpn is to have total LAN access

Thanks in advanced!

Francesco Molino · ‎04-22-2020

You're missing the default route, i don't see it in your config.
Can you verify with show route please?
If not there, can you add it and test again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-19-2020

Hi

Can you share your config please by removing any confidential information?
Also what is the IP 192.168.1.50?

There are some ways to achieve this by having anyconnect on the 2nd isp but just want to make sure first what you've done so far and what is the private IP we're seeing in the log.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

secretAlpaca · ‎04-20-2020

ISP Doesn't allow for public ip to ASA so I just used the bridge mode on it, that ip is just the IP of the Outside interface, that I would DMZ(on bad ISP router) to be able to use anyconnect

My config is (pastebin link): https://pastebin.com/rbaiQq8i

This asa is only for a Any Connect VPN, nothing else

Francesco Molino · ‎04-20-2020

First of all i don't recommend using the same subnet for the vpn pool and inside zone.

On your isp router, port 443 is forwarded to your asa?
While connecting, can you run debug webvpn anyconnect 255 and share the output please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

secretAlpaca · ‎04-21-2020

About using the same subnet for pool and inside is beacause I use this as my mgmt vpn, via a secundary ISP, hence the fact I want to be able to reach everything on my LAN, the asa (192.168.1.50) is on a DMZ on the ISP router plugged into the bridged port.
About the debug for some reason nothing shows up, it says it is enabled but no output PS: I can access the portal from LAN but when the request comes from wan, it just says that route error on the main post

secretAlpaca · ‎04-21-2020

Hello, update, packets can go from WAN to the Outside IP and reach 443 of the ASA, but for some reason packets are droped then with this msg: routing failed to locate next hop for tcp from outside

@secretAlpaca wrote:
About using the same subnet for pool and inside is beacause I use this as my mgmt vpn, via a secundary ISP, hence the fact I want to be able to reach everything on my LAN, the asa (192.168.1.50) is on a DMZ on the ISP router plugged into the bridged port.
About the debug for some reason nothing shows up, it says it is enabled but no output PS: I can access the portal from LAN but when the request comes from wan, it just says that route error on the main post

Francesco Molino · ‎04-22-2020

You're missing the default route, i don't see it in your config.
Can you verify with show route please?
If not there, can you add it and test again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question