Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
20
Helpful
9
Replies

Anyconnect

Go to solution
benolyndav
Level 4
Level 4

‎12-03-2021 03:19 AM

Hi
I think I asked about this once before but I am not grasping it can somone please explain in laymans terms what this is saying, 

 

 

 

  • Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the AnyConnect IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the Firepower Threat Defense device before configuring Remote Access VPN.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-03-2021 07:19 AM

@benolyndav you'd only have the problem if using static PAT behind the outside interface, which you don't appear to be.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎12-03-2021 03:26 AM

@benolyndav can you post the link that text is from, in order to provide some further context?.....

 

...but at a guess I assume this is related to NAT? If you have a static NAT for say tcp/443 using the outside interface, then you cannot enable RAVPN on tcp/443 on the outside interface, as the ASA is already listening on that port for the static NAT. In this scenario you'd need to configure the static NAT on another public IP address and not use the ASA outside interface.

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-03-2021 04:16 AM

@benolyndav the document doesn't further expand on that, but I believe it is referring to my response above. So if the ASA is translating tcp/443 or IPSec ports udp/500 udp/4500 behind it's outside interface then you'd be unable to configure a RAVPN on the outside interface.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-03-2021 05:30 AM

Hi Rob

Yes the document does need some more info, please see attached at the nat rules and the acls for theses nat rules do allow 443 so would this stop the ravpn,??

 

 

regarding  udp/500 udp/4500 we do have nat rules for these but are using nat addresses and not the interface so im assuming that would be ok

Preview file
87 KB
0 Helpful

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-03-2021 06:15 AM

Hi
Is that because its dynamic NAT ??

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-03-2021 07:19 AM

@benolyndav you'd only have the problem if using static PAT behind the outside interface, which you don't appear to be.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Rob Ingram

‎12-03-2021 09:58 AM

Even without static PAT I have seen it sometimes present an issue when trying to add site-to-site VPN to a firewall where there is an existing site-to-site tunnel passing through the firewall and sitting on that udp port.

Not super common but something to check for when the setup fails.

Go to solution
benolyndav
Level 4
Level 4
In response to Marvin Rhoads

‎12-03-2021 12:10 PM

Thanks Marvin

0 Helpful
Customers Also Viewed These Support Documents