Hi owaisberg

owaisberg · ‎09-18-2015

Attempting to set up ASA 5505 VPN firewall behind NAT router within my network to allow

clients to connect with Anyconnect to the ASA FW

NAT router staticly translates all incoming SSL VPN requests towards its public interface

further to the ASA firewall: Client_PC-> Client_FW-> INTERNET -> NAT Router_Public-IP -> ASA FW

ASA FW has its default route on the "outside" interface pointing back to the router and has

no NAT statements configured.

On initial attempt to connect from the client's browser on port 443, getting following error

from the ASA system log and in 9 out of 10 attempts connection fails.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

%ASA-7-609001: Built local-host inside:<Client's-Public_IP>
%ASA-6-302013: Built inbound TCP connection 157 for inside:<Client's-Public_IP>/45335 to identity:ASA_OUTSIDE_Interface/443
%ASA-6-110003: Routing failed to locate next hop for tcp from inside: ASA_OUTSIDE_Interface/47873 to inside:<Client's-Public_IP>/6065
%ASA-6-302014: Teardown TCP connection 157 for inside:<Client's-Public_IP>/45335 to identity:ASA_OUTSIDE_Interface/443 duration 0:00:30 bytes 0 SYN Timeout

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

At the same time inspecting how ASA sees the packet coming from the client PC shows the following:

Interface inside: 2 active, 3 maximum active, 0 denied
local host: <Clients_Public_IP>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP inside: <Clients_Public_IP>/10237 NP Identity Ifc: ASA_OUTSIDE_Interf/443,
flags SaAB , idle 2s, uptime 2s, timeout 30s, bytes 0

---------------------------------------------------------------------------------------------------------------------------------------

As it can be seen from both outputs, ASA somehow associates Clients_Public_IP onto the "inside" interface,

and since "inside" interface has no routing entries to get to the Internet, route look up fails.(in theory)

Tried to define identity NAT for the flows towards the ASA, no effect. Connection mostly fails, sometimes

gets through, up to the portal. Initially I could even download the AC client off the ASA portal and ASA was

sort of ignoring these errors, not anymore looks like.

Current ASA OS: 9.2.(2)4 (tried as well with 8.2.4 & 8.3.1)

ASDM: 7.4(3)

Any help will be greatly appreciated

Thanks in advance.

pjain2 · ‎09-21-2015

please apply the below captures:

capture capin interface inside match tcp host <client public ip> any

capture capout interface outside match tcp host <client public ip> any

capture asp type asp all

owaisberg · ‎09-22-2015

Hello, thank you for reply. Captures attached below. "capout" was 0 bytes

so didn't have to include it. Captures were taken when a client tried to connect

to ASA portal on tcp:443

Thanks again

pjain2 · ‎09-23-2015

who's ip address is 192.168.1.15?

is there any device in front of this ASA that could be doing the translation for the incoming https traffic?

owaisberg · ‎09-24-2015

192.168.1.15 is the ASA's outside interface. Yes, there is a NAT router in fronth

which does the translation of incoming traffic on port tcp 443 towards the ASA

Henrik Grankvist · ‎09-24-2015

Hi

Just a thought:

Do you have DTLS enabled? DTLS is using UDP port 443 and you are only forwarding TCP port 443, try and disable DTLS.

owaisberg · ‎09-29-2015

Hi,

Thanks for reply.

I in fact had DTLS enabled, but disabling it didn't change anything, I'm still

getting the same message (attached below) and no communication to ASA

now.

owaisberg · ‎09-22-2015

Managed to get through to the portal and download VPN client. Connected once,

then connection got terminated and any further attempts give error message

attached below. On the ASA side, I could see one successful IKE exchange.

Still getting errors from before:

%ASA-6-110003: Routing failed to locate next hop for tcp from inside: ASA_OUTSIDE_Interface/47873 to inside:<Client's-Public_IP>/6065

Peter Koltl · ‎10-01-2015

Check the cables. The router is probably connected to ASA inside interface.

Peter Koltl · ‎10-14-2015

Was I right?

owaisberg · ‎10-27-2015

Nope, the cabling was fine.....had to introduce more VLANs to make sure

all is properly isolated, hoped I could get away with unmanaged switch, not really

DonVito313 · ‎02-26-2016

Hi owaisberg

I have ASA 5525-X and I want to configure it the same way you did with your ASA 5505

I mean I also have router in front doing the Nat and I want to configure my ASA for SSl VPN with anyconnect

Did you find out what is the best way to do that

I'll appreciate if you reply to me with the best configuration

Thank you