Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
0
Helpful
3
Replies

AnyConnect SSL VPN conn denied on outside intfc

Phil Williamson
Level 1
Level 1

‎03-11-2009 06:44 PM - edited ‎02-21-2020 04:10 PM

ASA5510 8.0(4)

I'm trying to setup AnyConnect on another ASA. I can't see the forest for the trees this time.

I keep getting a log msg about TCP/443 packet dropped by ACL on outside interface. I don't have an ACL denying 443 on the outside. I've done this before, but I cannot see my error. Any suggestions come to mind?

I even went so far as to follow Cisco's tech tip in Doc. #99757 just to be sure.

Classical non-SSL VPN client connectivty works fine.

Thx - Phil

Labels:
0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎03-12-2009 08:34 PM

Have you enabled webvpn on the outside interface?

0 Helpful

Phil Williamson
Level 1
Level 1
In response to Ivan Martinon

‎03-13-2009 05:45 AM

Ivan - yes it is.

ASA5510# sho run webvpn

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

ASA5510#

Here are the peritinent config details (public IPs changed to protect the protected):

Note that there is also code for traditional non-SSL client and site-to-site VPN - all that works fine.

I have other ASAs with WebVPN enabled that work fine, I cannot see why this one is different/does not work. Probably a typo I cannot see.

!

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5510 Security Plus license.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 25.25.25.250 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.31.254.2 255.255.255.252

!

access-list ACL_OUT extended permit tcp 24.25.44.0 255.255.252.0 host 25.25.25.251 eq https

access-list ACL_OUT extended permit icmp any interface outside echo-reply

access-list ACL_OUT extended permit icmp any interface outside unreachable

access-list ACL_OUT extended permit icmp any interface outside time-exceeded

access-list NoNAT extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252

access-list SSLSplitAllowACL extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool SSLSplitAllowPool 172.31.253.1-172.31.253.2 mask 255.255.255.252

ip verify reverse-path interface outside

ip verify reverse-path interface inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 172.20.1.0 255.255.255.0

static (inside,outside) 25.25.25.251 172.20.1.9 netmask 255.255.255.255

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 25.25.25.249 1

route inside 172.20.1.0 255.255.255.0 172.31.254.1 1

dynamic-access-policy-record DfltAccessPolicy

http server enable 444

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ASA5510.local.com

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 6a6d4e86

0500304c 3121301f 06035504 03131843 44482d35 3531302e 57333637 30646f6d

98c13a65 d128ac77 d3eb55c1 ecc85d99 faf314

quit

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 172.20.1.2

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLSplitAllowACL

default-domain value local.com

address-pools value SSLSplitAllowPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username vpntest password encrypted privilege 0

username vpntest attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

0 Helpful

Phil Williamson
Level 1
Level 1
In response to Ivan Martinon

‎03-13-2009 02:33 PM

Ivan - I got the OK to reload the 5510 - that fixed all the problems. I guess 8.0(4) still has some bugs.

The fact that the reload fixed this also restored my faith in me and my craft. :-)

0 Helpful
Customers Also Viewed These Support Documents