08-28-2014 04:56 PM - edited 02-21-2020 07:48 PM
Hi,
I am trying to setup an anyconnect VPN at home through the asdm and I have noticed that when I look at my interfaces, because I have a DHCP public ip address, my OUTSIDE ip address is showing up as my internal ip to my modem instead of my public ip address. So as a result, when I go through the anyconnect VPN wizard, my group-url is appearing as the following: group-url https://192.168.0.3/VPN enable. Does anyone know how I can resolve my public ip so that I can get my vpn working? My network has my pc connected to my Cisco ASA5505 which is connected to my ISP modem.
Ill post my config:
show run
: Saved
:
ASA Version 8.2(5)46
!
hostname firewall
domain-name firewall.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa825-46-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name firewall.com
access-list NAT-ACL extended permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 access-list NAT-ACL
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.20-192.168.10.30 INSIDE
dhcpd dns 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUTSIDE
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value List
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username administrator password ObtzdGKt8ALC6fhn encrypted privilege 0
username administrator attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
group-url https://192.168.0.3/VPN enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3f814111ff22ecebb19d3e7455ae378a
: end
08-28-2014 11:31 PM
Hi,
I do not think so you can have anyconnect configured for a dynamic peer.....i guess even dyndns wont support that level in asa to identify the peer ip address through URL.... you can do such with ios router.... but not on cisco asa.... you need to have fixed ip address at the asa to get this......
Regards
Karthik
08-29-2014 12:06 AM
You are having two different things to manage:
tunnel-group VPN webvpn-attributes
group-alias VPN enable
group-url https://my.dyndls.alias/VPN enable
Now you can access the VPN also through a dynamic DynDNS address.
08-30-2014 04:17 AM
Thanks for your response.
I've registered a noip dns and am able to ping the domain externally but I cant connect to the vpn after entering the 'group-url https://noipdns/VPN enable' cmd. Is there something else I need to enter?
Thanks.
08-30-2014 08:08 AM
Have you already configured your router? You have to configure a port-forwarding for UDP/TCP 443 or even better something like an "exposed host", "DMZ host" or something like that where all traffic is sent to your internal system. The wording can be different in your router ...
09-02-2014 05:26 AM
Hi!
I have set up a similar solution for a customer. To get it to work I had to put the modem in Bridged mode, so the modem did nothing more than "forward" packets.
That way the ASA got a public IP adress on the external interface and I only had to follow the Anyconnect wizard. In this case my customer almost never changed their IP adress so i did not have to use the DNS name. The customer only noticed the Public IP adress of the external interface on the ASA and simply browsed to that IP.
That solution have been up and running without problems for about 2 years now.
/Lajja1234
09-02-2014 05:42 AM
For sure, that is the best way to do it. But sadly, it's not always possible.
09-02-2014 04:22 PM
I tried opening the ports on my modem but it doesn't seem to work. Just to test the port forwarding is working, I openend the RDP port which I have done before, disconnected my firewall, but that didn't work for some reason. I might look into putting my modem into bridged mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide