Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
7
Replies

ASA 5505 anyconnect VPN group-url not public ip

adamcook1981
Level 1
Level 1

‎08-28-2014 04:56 PM - edited ‎02-21-2020 07:48 PM

Hi,

I am trying to setup an anyconnect VPN at home through the asdm and I have noticed that when I look at my interfaces, because I have a DHCP public ip address, my OUTSIDE ip address is showing up as my internal ip to my modem instead of my public ip address. So as a result, when I go through the anyconnect VPN wizard, my group-url is appearing as the following:   group-url https://192.168.0.3/VPN enable. Does anyone know how I can resolve my public ip so that I can get my vpn working? My network has my pc connected to my Cisco ASA5505 which is connected to my ISP modem.

Ill post my config:

show run
: Saved
:
ASA Version 8.2(5)46
!
hostname firewall
domain-name firewall.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif OUTSIDE
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa825-46-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name firewall.com
access-list NAT-ACL extended permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 access-list NAT-ACL
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.20-192.168.10.30 INSIDE
dhcpd dns 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable OUTSIDE
 tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list value List
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username administrator password ObtzdGKt8ALC6fhn encrypted privilege 0
username administrator attributes
 vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 default-group-policy VPN
tunnel-group VPN webvpn-attributes
 group-alias VPN enable
 group-url https://192.168.0.3/VPN enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3f814111ff22ecebb19d3e7455ae378a
: end

 

 

Labels:
0 Helpful
7 Replies 7

nkarthikeyan
Level 7
Level 7

‎08-28-2014 11:31 PM

Hi,

 

I do not think so you can have anyconnect configured for a dynamic peer.....i guess even dyndns wont support that level in asa to identify the peer ip address through URL.... you can do such with ios router.... but not on cisco asa.... you need to have fixed ip address at the asa to get this......

 

Regards

Karthik

0 Helpful

Karsten Iwen
VIP
VIP

‎08-29-2014 12:06 AM

You are having two different things to manage:

  1. Reaching your ASA from the public.
    As the ASA doesn't have a DynDNS-client included, that client has to run on the DSL-router or an internal host. This config is completely unrelated to the ASA.
  2. The group-url in the ASA.
    Here you have to specify the FQDN that you use to reach your ASA from outside. That is the DynDNS FQDN that you registered and that you have to use in AnyConnect. On the ASA you have to uses this FQDN as the group-URL:

tunnel-group VPN webvpn-attributes
 group-alias VPN enable
 group-url https://my.dyndls.alias/VPN enable
 

Now you can access the VPN also through a dynamic DynDNS address.

0 Helpful

adamcook1981
Level 1
Level 1
In response to Karsten Iwen

‎08-30-2014 04:17 AM

Thanks for your response.

I've registered a noip dns and am able to ping the domain externally but I cant connect to the vpn after entering the 'group-url https://noipdns/VPN enable' cmd. Is there something else I need to enter?

Thanks.

0 Helpful

Karsten Iwen
VIP
VIP
In response to adamcook1981

‎08-30-2014 08:08 AM

Have you already configured your router? You have to configure a port-forwarding for UDP/TCP 443 or even better something like an "exposed host", "DMZ host" or something like that where all traffic is sent to your internal system. The wording can be different in your router ...

0 Helpful

Lajja1234
Level 1
Level 1

‎09-02-2014 05:26 AM

Hi!

I have set up a similar solution for a customer. To get it to work I had to put the modem in Bridged mode, so the modem did nothing more than "forward" packets. 

That way the ASA got a public IP adress on the external interface and I only had to follow the Anyconnect wizard. In this case my customer almost never changed their IP adress so i did not have to use the DNS name. The customer only noticed the Public IP adress of the external interface on the ASA and simply browsed to that IP. 

That solution have been up and running without problems for about 2 years now. 

/Lajja1234

0 Helpful

Karsten Iwen
VIP
VIP
In response to Lajja1234

‎09-02-2014 05:42 AM

For sure, that is the best way to do it. But sadly, it's not always possible.

0 Helpful

adamcook1981
Level 1
Level 1
In response to Karsten Iwen

‎09-02-2014 04:22 PM

I tried opening the ports on my modem but it doesn't seem to work. Just to test the port forwarding is working, I openend the RDP port which I have done before, disconnected my firewall, but that didn't work for some reason. I might look into putting my modem into bridged mode.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents