SSL VPN works from inside, but not outside

NozeDive1 · ‎09-21-2012

I'm helping some one set up a VPN in order to share files between two locations. I'm not sure it's the best solution, but he insists on using his Cisco ASA 5505 Firewall via a clientless VPN. His set-up is a simple residential cable modem (Motorola SurfBoard/TimeWarner) set in DMZ mode, the Cisco ASA, and an Ubuntu server.

The Clientless VPN is set up, as are the user groups, and bookmarks. I'm able to browse to the firewall's internal interface IP (https://192.168.1.1) and log in to the Clientless VPN portal, and from there, I can access all of the plug-ins I've configured (CIFS, VNC, etc). The problem is that I cannot connect from outside the local area network.

I think it's something very basic that I'm missing, like a NAT rule. I've tried adding some, but they always seem to interfer with the NAT rule allowing users to connect, via the internet, to the Apache web server (port 80) running on the Ubuntu machine behind the ASA Firewall.

Like I said, I'm not sure this is the best solution for him. Using an ASA seems like overkill for something that can be accomplished with some software, but he and I are both fans of Cisco, and, as I said, he is adament about using this set-up. If it comes down to it, I'd like to be able to honestly tell him that I exhausted every resource in trying to find a way to make this work for him before giving up and going to "Plan B".

Any help is greatly appreciated.

(I'm trying to stick to the ASDM, but the terminal interface is something I can use too)

johnnykaye · ‎09-21-2012

Hello Tony,

I have not done SSL vpns, but generally when you get these kind of issues, two common causes are:

1. missing route on the inside host/server towards the VPN subnet

2. using "any" in crypto-acls and nonat-acls (sometimes you can get away with it, if not - sometimes you can juggle crypto map priorities to get around it, and then - sometimes you just have to add explicit granular acls for each and every remote network, and skip the "any" statements altogether. I find it's a good idea to do it this way from the start)

Also, your chances of getting helpful replies (or replies at all) will increase a lot if you post a (sanitised) config.

Hope this helps,

best,

Johnny

NozeDive1 · ‎09-22-2012

Johnny, et al

Thank you for the fast reply! I will look into those things you suggested as soon as possible.

I can't believe I didn't think to post a config dump in my first post! Thank you, though, for reminding me.

In the working config, I have removed anything that looked to me like a hash of any sort, usernames, URLs, and internet facing IP addresses. I hope I didn't miss anything private.

When looking at this, you'll notice that I have proxies enabled for the Clientless VPN. As far as I know, I don't need those. I had enabled them to see if it would help with a temporary fix I was trying, but failed, and forgot to disable those proxy options on the ASA.

ASA Version 8.2(5)

!

hostname ciscoasa

enable password encrypted

passwd encrypted

names

name 192.168.1.17 server-pri

name server-pub

name 192.168.1.1 asa-internal

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address asa-internal 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq ssh

port-object eq 5900

access-list outside_access_in extended permit tcp any host server-pub object-group DM_INLINE_TCP_1

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface server-pri netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

http-proxy server-pri 80

https-proxy server-pri 443

svc enable

tunnel-group-list enable

internal-password enable

group-policy DfltGrpPolicy attributes

webvpn

url-list value vpn

group-policy vpn_grppolicy internal

group-policy vpn_grppolicy attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value vpn

username <REDACTED> password <REDACTED> encrypted privilege 0

username <REDACTED> attributes

vpn-group-policy DfltGrpPolicy

username <REDACTED> password <REDACTED> encrypted privilege 0

username <REDACTED> attributes

vpn-group-policy vpn_grppolicy

username <REDACTED> password <REDACTED> encrypted privilege 0

username <REDACTED> attributes

vpn-group-policy vpn_grppolicy

username <REDACTED> password <REDACTED> encrypted privilege 0

username <REDACTED> attributes

vpn-group-policy DfltGrpPolicy

tunnel-group ssl_vpn type remote-access

tunnel-group ssl_vpn general-attributes

default-group-policy vpn_grppolicy

tunnel-group sslvpn type remote-access

tunnel-group sslvpn webvpn-attributes

group-alias sslvpn enable

group-url https:///sslvpn enable

tunnel-group vpn-new type remote-access

tunnel-group vpn-new general-attributes

authorization-server-group LOCAL

default-group-policy vpn_grppolicy

tunnel-group vpn-new webvpn-attributes

group-alias vpn-new enable

group-url https:///vpn-new enable

group-url https:///vpn enable

group-url https:///vpn-new enable

without-csd

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:

: end

Thanks again for the help!

Tony

Message was edited by: Tony Scardina (Fixed spelling errors)