cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1046
Views
0
Helpful
11
Replies

Anyconnect issue with ASA 5506 behind an ADSL Router

Manish Patel
Level 1
Level 1

hi

i have been trying to use port forwarding on an adsl router with ISP assigned public IP address on the dialer0 interface. i also have an ASA 5506-X behind the ADSL Router with a /30 public IP address.

i have the ASA working fine using ip nat inside source 1.1.1.1 2.2.2.2

where 2.2.2.2 is the dialer0 ISP assigned address and 1.1.1.1 is the public IPaddress on the outside interface of the ASA

Now i am trying to get anyconnect working through the router and have configured port forwarding as below:-

ip nat inside source static udp 1.1.1.1 4500 2.2.2.2 4500
ip nat inside source static udp 1.1.1.1 500 1.1.1.1 500
ip nat inside source static udp 1.1.1.1 443 1.1.1.1 443
ip nat inside source static tcp 1.1.1.1 443 1.1.1.1 443

i have also used the keyword "extendable" after the port forwading line , but no joy

when i browse to https://1.1.1.1 i cannot get to the ASA , i have also tried using the pre-download installation of anyconnect and that just times out when i connect to 1.1.1.1

i wanted to know if we can port forward from one public IP to another public IP ? i created the anyconnect using the ASA wizard.

i suspect the router is the cause of this for now,

how do i convert the cisco 887 VA router to a bridge mode -  this is my last resort , ideally i dont want to do this as its a major outage on the network

can the ASA have a 192.168.1.1 outside interface address and use port forwading for anyconnect to work.

any assistance will be great.

thanks

i have attached a copy of the config

11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

Can you browse to https://1.1.1.1 from the outside?  Note you can noy use AnyConnect from inside the ASA.

Are you sure AnyConnect is enabled?  Have you go something like:

webvpn
enable Outside

hi phillip

the inside interface of the ASA is a different subnet.

i have 1.1.1.1 as the outside interface of the ASA. 2.2.2.2 is the adsl router infront of the asa

i cant browse to https://1.1.1.1 and webvpn is enabled.

i suspect its port forwarding but am not sure if you can port forward from a public ip address to another public address

If you plug the ASA point to point to your notebook, and give your notebook the IP address 1.1.1.2 (which I presume is the 887's inside IP address) can you browse to https://1.1.1.1 to prove AnyConnect is working?

You have several overlapping NAT's.  Try removing:

ip nat inside source static 1.1.1.1 2.2.2.2

Get rid of source routing;

ip source-route

Change FastEthernet3 to a more normal configuration.

interface FastEthernet3
 description Uplink to 
switchport mode access
switchport access vlan 115

Try making the mss adjust a bit lower:

interface Vlan115
ip tcp adjust-mss 1400

Do you really need:

ip route profile

You are also mixing NAT of static and interface IP's.  This should be fine, but since you have an issue lets just stick to one method:

ip nat inside source static tcp 1.1.1.1 443 interface Dialer0 443 extendable
ip nat inside source static udp 1.1.1.1 443 interface Dialer0 443 extendable
ip nat inside source static udp 1.1.1.1 500 interface Dialer0 500 extendable
ip nat inside source static udp 1.1.1.1 4500 interface Dialer0 4500 extendable

If that still does not work, what version of software are you using on the 887VA?

hi

i have changed the set up and made the cisco 887 as bridged and the ISP's PPPoE appears on the ASA

i will try it out and report back

the anyconnect still doesnt work.

i used an iphone hotspot SSID to ping and to ssh to the outside ASA interface, i could see that the ssh was blocked from the real time logs but i dont see any https traffic coming in.

Any chance the ISP is blocking https?

You don't have an incorrectly proxy configured in your browser that might be stopping the https requests?

What about antivirus software that might be intercepting https?

issue fixed from the below document

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html

thanks for all your help

Well done.

Has the ASA definitely got a default route via 1.1.1.2?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: