Cannot access external HTTPS webpages from VPN.

ta1983 · ‎11-16-2012

Hello,

So, i have set up a working Anyconnect solution, (see attached picture)

Firewall is a 5585-x ssp20 running 8.4.3

Core is cat 6500

Anyconnect client version: 3.1.00495

--------------

Configured vpn with a tunneled default route to 172.19.16.1 (Core - cat6500)

No split tunnel is configured, everything has to be tunneled and monitored by WCCP in Firewall.

Authorization is by Certificate Only.

-------------

I can reach inside servers (for example 172.18.254.37)

i can reach DMZ server (for example 192.168.138.36)

i can surf the internet on regular HTTP (port 80)

but, i cannot surf the internet or DMZ servers using HTTPS (port 443)

also, ftp does not work. i have tried to reach external ftp servers who are open to all.

both https and ftp works from the INSIDE network.

-------------

I have tried to change the port for Anyconnect, to 444 (for dtls as well) and i can see that all the vpn traffic is going over 444, so 443 should be undisturbed.

but this is not working..

could it be a certificate problem, or am i missing something? NAT/PAT?

This is my NAT configuration:

nat (DMZ,INSIDE) source dynamic NET-VPN-DMZ-PORTWISE-NATED-BOTK HOST-172.18.254.69 destination static NET-VPN-REMOTE NET-VPN-REMOTE

nat (DMZ,INSIDE) source static NET-DMZ NET-DMZ destination static NET-ALL-INSIDE NET-ALL-INSIDE no-proxy-arp route-lookup

nat (DMZ,INSIDE) source static NET-DMZ NET-DMZ destination static NET-DRIFT-GROUPALL NET-DRIFT-GROUPALL no-proxy-arp route-lookup

nat (INSIDE,INTERNET) source static NET-CLIENT-ADMIN NET-CLIENT-ADMIN destination static NET-VPN-REMOTE NET-VPN-REMOTE no-proxy-arp route-lookup inactive

nat (DRIFT_MGMT,DMZ) source static NET-DRIFT-y.y.y.0 NET-DRIFT-y.y.y.0 destination static NET-DMZ NET-DMZ no-proxy-arp route-lookup

nat (DMZ,INSIDE) source dynamic NET-VPN-DMZ-DIRECTACCESS-REMOTE HOST-172.18.254.72 destination static NET-VPN-REMOTE NET-VPN-REMOTE

nat (any,INTERNET) source static any any destination static NETWORK_OBJ_172.40.0.0_19 NETWORK_OBJ_172.40.0.0_19 no-proxy-arp

nat (DMZ,any) static x.x.x.100

nat (DMZ,any) static x.x.x.102

nat (DMZ,any) static x.x.x.101

nat (DMZ,any) static x.x.x.109

nat (DMZ,any) static x.x.x.116

nat (DMZ,any) static x.x.x.121

nat (DMZ,any) static x.x.x.108

nat (DMZ,any) static x.x.x.114

nat (DMZ,any) static x.x.x.119

nat (INSIDE,INTERNET) static x.x.x.117

nat (INSIDE,INTERNET) static x.x.x.112

nat (DMZ,any) static x.x.x.123

nat (DMZ,any) static x.x.x.124

nat (DMZ,any) static x.x.x.103

nat (DMZ,any) static x.x.x.120

nat (DMZ,any) static HOST-x.x.x.118

nat (DMZ,INSIDE) static 192.168.138.0

nat (any,DMZ) after-auto source static any any destination static HOST-x.x.x.107 HOST-192.168.138.53 description ftp access

nat (any,INTERNET) after-auto source static any interface unidirectional

i also have a crypto map for a "Site-to-Site"-VPN that i'm not too sure about.. could this cause any problems perhaps? i'm thinking specifically about the nat-t-disable option, but i suppose this only applies for ikev1 and not the anyconnect SSL.

crypto map INTERNET_map 2 match address Remote_cryptomap
crypto map INTERNET_map 2 set pfs
crypto map INTERNET_map 2 set peer x.x.x.130
crypto map INTERNET_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map INTERNET_map 2 set security-association lifetime seconds 28800
crypto map INTERNET_map 2 set nat-t-disable
crypto map INTERNET_map interface INTERNET

Jennifer Halim · ‎11-16-2012

Don't believe that it has anything to do with the AnyConnect.

AnyConnect will only be routing the traffic towards the tunneled default route that you have configured, the rest is how the proxy server (assuming you are monitoring the web traffic via a proxy server) is handling the HTTPS traffic.

ta1983 · ‎11-16-2012

Hi Jennifer,

Thanks for replying! When you say "monitoring the web traffic via a proxy server", do you mean WCCP?

i think you're definately on the right track here.

If i'm on the vpn and visit a "bad" site i get blocked(redirected), so the function is there.

so now i performed a test where i deactivated WCCP in my firewall, and what happens?

I cannot visit any sites at all suddenly.

this makes perfect (but odd) sense, since we're not suddenly webfiltering https traffic. (this is a setting in our Websense machine, which the WCCP protocol is talking to from the ASA)

so, why does my vpn need WCCP to reach the internet? i will have to think about this..

Jennifer Halim · ‎11-17-2012

Hmm... WCCP is only the protocol to redirect the traffic. It should be redirecting it to a specific server, and you might want to check what is the server that you are using to perform the web monitoring.

OK, reading further to your post, you are using Websense for the proxy server. Is WCCP redirecting both HTTP and HTTPS traffic, or it only redirects HTTP traffic.

If it only redirects HTTP traffic, then HTTPS is probably going directly out to the internet. In that case, since your tunneled default route is pointing to the core switch, it probably sends it back to the ASA, and here is where the problem starts:

- source is still the vpn pool subnet, and arriving on the inside interface towards the internet

- assuming you have NAT, then it will go out to the internet, however, the return traffic instead of being routed back towards the inside, routing will say to route it to the VPN. At this point, it will fail because of asymetric routing.

ta1983 · ‎11-19-2012

Hi again,

yes exactly, i'm running websense, and this is my WCCP configuration,

where "wccp 0" equals HTTP, so HTTPS is not enabled.

FW01# sh run | inc wccp

wccp 0 redirect-list Websense_acl group-list Websense_box password *****

wccp interface INSIDE 0 redirect in

after reading your post i believe you're right with the asymmetrical routing issue,

but i'm not really sure how to resolve it if i want the function of web filtering HTTP

and at the same time HTTPS access to the internet (still through the tunnel).

what would be the best solution here you think?

Thank you for helping out, really appreciate it.

Jennifer Halim · ‎11-21-2012

Hmmm..

Been thinking of what would be the best solution to split the traffic for HTTPS and HTTP path, but can't think of any which would work.

Just thinking out loud, since your WCCP configuration is on the core switch and you are forcing the vpn client traffic to be routed towards core switch using tunneled default route, perhaps you can configure the following:

1) Remove the tunneled default route

2) Configure websense url filter on the ASA for the VPN Pool subnet.

3) Configure u-turn for the HTTPS traffic by enabling: same-security-traffic permit intra-interface

4) Configure NAT statement for the vpn pool on the outside interface so the HTTPS traffic can get NATed when it's leaving for the internet.

Thoughts? Do you think the above suggestion would work.

ta1983 · ‎11-21-2012

Hi Jennifer,

Thank you for your suggestion, its along the line of what i have been thinking about.

WCCP is configured on the firewall, sorry if i haven't been clear about that.

i have been thinking about removing the tunneled default route and then applying wccp inbound on the INTERNET interface as well as the INSIDE interface. (as wccp can only be applied inbound on ASA),

is this whay you mean about nr 2?

u-turn is already enabled, so i should be fine, but i haven't got the NAT working for me when it comes to enabling VPN clients to reach the internet without the tunneled default route, maybe that's what i need to get sorted first.

I think this kind of solution is worth a try, i'm not sure however that the ASA will allow two different interfaces to run wccp on the same service group (0).

Thanks alot, will try and get back!