Re: Access Denied with WebVPN in ASA

carlosJlopez_2 · ‎01-25-2011

Hi all,

I have an ASA 5505 with 7.2 DM and 5.2 ASDM and I´m trying to configure webVPN.

I enable Interface Outside for WEBVPN.

but when I try to access this message appear in log:

TCP access denied by ACL drom XXX.XXX.XXX.XXX (my remote ip public)/62144 to inside:XXX.XXX.XXX.XXX (ip interface outside ASA)/443

I try to access to Web portal through inside interface (enabling it first) and it works, but when I try through outside I can´t.

This ASA is new and it doesn´t have any ACLs configured yet.

my relevant conf is:

interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1

interface Vlan2
nameif outside
security-level 0
ip address ifexternal

ftp mode passive
access-list inside_nat0_outbound extended permit ip any 1.1.3.0 255.255.255.240
access-list 443 webtype permit tcp 1.1.1.0 255.255.255.248 eq https log default
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool DHCP_pool 1.1.3.5-1.1.3.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 1.1.4.4 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no eou allow clientless

http server enable 444 (this is for ASDM)

http insidenetwork inside

no snmp-server location
no snmp-server contact

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10500
vpn-sessiondb max-session-limit 5

dhcpd auto_config outside

Webvpn
enable outside
default-idle-timeout 2400
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable

url-list test "TEST" cifs://1.1.1.10 1

roup-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol webvpn
webvpn
functions url-entry file-access file-entry file-browsing
html-content-filter none
url-list value test
customization value DfltCustomization
svc enable
svc keep-installer installed

username test attributes
vpn-group-policy webvpn
webvpn
functions url-entry file-access file-entry file-browsing
svc none

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool DHCP_POOL
default-group-policy webvpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy webvpn

group-alias web enableç

tunnel-group TunnGroupWEBVPN type webvpn
tunnel-group TunnGroupWEBVPN general-attributes
address-pool DHCP_POOL
default-group-policy webvpn
tunnel-group TunnGroupWEBVPN webvpn-attributes
nbns-server 1.1.1.2 master timeout 2 retry 2
!
class-map inspection_default
match default-inspection-traffic

thanks in advance

Jennifer Halim · ‎01-25-2011

You mention that this ASA is new and it doesn't have any ACL configured yet.

However you have the following 2 lines of access-group:

access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

Can you please remove those 2 access-group, and try to access the webvpn again from the outside.

carlosJlopez_2 · ‎01-26-2011

thanks for your fast answer Jennifer,

that two lines are there because I was trying to add and ACL permitting from my remote public IP to the interfaz external (without results).

I just remove this two lines and same result. TCP acces denied by ACL.

Jennifer Halim · ‎01-26-2011

do you mind sharing the complete configuration? there could be conflict of commands that causes the issue.

carlosJlopez_2 · ‎01-26-2011

Thanks Jennifer,

here it is

Jennifer Halim · ‎01-26-2011

The current configuration seems to be fine.

Do you happen to have static NAT configuration prior? and can you "clear xlate"?

Have you tried to reload the ASA?

Can you please try with packet tracer, on TCP/443, and see where it's failing?

Also, can you also try with different port (configure webvpn to listen on port 8443 for example), and see if you are able to connect to the ASA outside interface using that port.

carlosJlopez_2 · ‎01-26-2011

thank you Jennifer

Do you happen to have static NAT configuration prior? I will try to reset Nat configuration

and can you "clear xlate"? clear state and nothing,

Have you tried to reload the ASA? Yes I tried to reload it a lot of times and nothing. (I saw that a lot of people are happy and when reloads all works but thats not my case)

Can you please try with packet tracer, on TCP/443, and see where it's failing? Yes Itried with packet tracert and packet is allowed

Also, can you also try with different port (configure webvpn to listen on port 8443 for example), and see if you are able to connect to the ASA outside interface using that port. I tried before with port 444 and same result

Jennifer Halim · ‎01-26-2011

Port 444 has been assigned to your ASDM port. Are you able to try with other ports than 444 or 443.

If packet tracer is allowing the traffic, that doesn't seem to be an issue.

Where are you seeing the deny log messages? on the ASA itself or on another device?

carlosJlopez_2 · ‎01-26-2011

I test with port 444 when ASDM was in 443. But I´m going to change webvpn to 8443 and we will see waht happen.

I see the deny message in the ASA log with the ASDM