01-25-2011 01:47 PM
Hi all,
I have an ASA 5505 with 7.2 DM and 5.2 ASDM and I´m trying to configure webVPN.
I enable Interface Outside for WEBVPN.
but when I try to access this message appear in log:
TCP access denied by ACL drom XXX.XXX.XXX.XXX (my remote ip public)/62144 to inside:XXX.XXX.XXX.XXX (ip interface outside ASA)/443
I try to access to Web portal through inside interface (enabling it first) and it works, but when I try through outside I can´t.
This ASA is new and it doesn´t have any ACLs configured yet.
my relevant conf is:
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1
interface Vlan2
nameif outside
security-level 0
ip address ifexternal
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 1.1.3.0 255.255.255.240
access-list 443 webtype permit tcp 1.1.1.0 255.255.255.248 eq https log default
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool DHCP_pool 1.1.3.5-1.1.3.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 1.1.4.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no eou allow clientless
http server enable 444 (this is for ASDM)
http insidenetwork inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10500
vpn-sessiondb max-session-limit 5
dhcpd auto_config outside
Webvpn
enable outside
default-idle-timeout 2400
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
url-list test "TEST" cifs://1.1.1.10 1
roup-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol webvpn
webvpn
functions url-entry file-access file-entry file-browsing
html-content-filter none
url-list value test
customization value DfltCustomization
svc enable
svc keep-installer installed
username test attributes
vpn-group-policy webvpn
webvpn
functions url-entry file-access file-entry file-browsing
svc none
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool DHCP_POOL
default-group-policy webvpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy webvpn
group-alias web enableç
tunnel-group TunnGroupWEBVPN type webvpn
tunnel-group TunnGroupWEBVPN general-attributes
address-pool DHCP_POOL
default-group-policy webvpn
tunnel-group TunnGroupWEBVPN webvpn-attributes
nbns-server 1.1.1.2 master timeout 2 retry 2
!
class-map inspection_default
match default-inspection-traffic
thanks in advance
01-25-2011 07:15 PM
You mention that this ASA is new and it doesn't have any ACL configured yet.
However you have the following 2 lines of access-group:
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
Can you please remove those 2 access-group, and try to access the webvpn again from the outside.
01-26-2011 12:34 AM
thanks for your fast answer Jennifer,
that two lines are there because I was trying to add and ACL permitting from my remote public IP to the interfaz external (without results).
I just remove this two lines and same result. TCP acces denied by ACL.
01-26-2011 12:36 AM
do you mind sharing the complete configuration? there could be conflict of commands that causes the issue.
01-26-2011 03:12 AM
01-26-2011 03:25 AM
The current configuration seems to be fine.
Do you happen to have static NAT configuration prior? and can you "clear xlate"?
Have you tried to reload the ASA?
Can you please try with packet tracer, on TCP/443, and see where it's failing?
Also, can you also try with different port (configure webvpn to listen on port 8443 for example), and see if you are able to connect to the ASA outside interface using that port.
01-26-2011 04:28 AM
thank you Jennifer
Do you happen to have static NAT configuration prior? I will try to reset Nat configuration
and can you "clear xlate"? clear state and nothing,
Have you tried to reload the ASA? Yes I tried to reload it a lot of times and nothing. (I saw that a lot of people are happy and when reloads all works but thats not my case)
Can you please try with packet tracer, on TCP/443, and see where it's failing? Yes Itried with packet tracert and packet is allowed
Also, can you also try with different port (configure webvpn to listen on port 8443 for example), and see if you are able to connect to the ASA outside interface using that port. I tried before with port 444 and same result
01-26-2011 05:56 AM
Port 444 has been assigned to your ASDM port. Are you able to try with other ports than 444 or 443.
If packet tracer is allowing the traffic, that doesn't seem to be an issue.
Where are you seeing the deny log messages? on the ASA itself or on another device?
01-26-2011 06:27 AM
I test with port 444 when ASDM was in 443. But I´m going to change webvpn to 8443 and we will see waht happen.
I see the deny message in the ASA log with the ASDM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide