07-02-2018 07:38 AM - edited 02-21-2020 09:25 PM
Hello,
So I have a local web-based application that I want accessible from remote location using Cisco AnyConnect. I am currently using ASA 5515x. This is my first time attempting AnyConnect and I intend to use a self signed certificate from my ASA. When I enter the public IP of my ASA on my web browser, it is supposed to bring me to a landing page where I will be directed to download the AnyConnect client and then authenticate. The issue is that the page times out when I enter my address on a browser which means "AnyConnect is not working yet" or my configuration is wrong somewhere.
Please see config below and assist in ways you can. I would appreciate this. Thank you.
Solved! Go to Solution.
07-02-2018 08:53 AM
Do a "show capture capi" after applying the capture. Will show you if there are packets coming in from the client to the ASA.
Also, you don't need a routing protocol if you have a static route. Also paste the sanitized output of "show route" if you can.
07-02-2018 07:44 AM
Configuration looks correct to me on a quick look. Are you trying to hit "https://71.71.x.x" on your browser? Can you try to capture traffic on your machine using wireshark to see what happens when you try the connection?
07-02-2018 08:02 AM
Thanks for your response Rahul.
Currently downloading wireshark. Yes, it is when I try to reach https://71.71.xx.xx I get the "this site can't be reached" error message. I have also attached the full config on the ASA. There could be a config line I have not spotted blocking the connection. Just to mention, ICMP, Telnet and SSH (public) are disabled on the WAN (internet) leg of the ASA.
07-02-2018 08:09 AM
Also, apply a capture on the ASA WAN interface.
capture capo interface outside match tcp host <your client public ip> host <your ASA public ip> eq 443
The only other thing I noticed in your config is a missing default route. I did not notice a routing protocol configuration, so it could just be that.
07-02-2018 08:36 AM
There is a default route. I probably deleted it when I was trying to edit the config I posted.
You think not using a routing protocol could be affecting it?
07-02-2018 08:50 AM
There seems to be no output for the capture command, I did a "terminal monitor", still the same thing.
07-02-2018 08:53 AM
Do a "show capture capi" after applying the capture. Will show you if there are packets coming in from the client to the ASA.
Also, you don't need a routing protocol if you have a static route. Also paste the sanitized output of "show route" if you can.
07-03-2018 06:21 AM - edited 07-03-2018 06:26 AM
Hey Rahul,
Thanks for the assistance thus far.
So when I issued the command "show capture capo", it started working for some weird reasons I can't explain. I could access https://71.71.xx.xx.
One more worry for me is the Warning message I get from the "Cisco AnyConnect Mobility Client" itself saying the server certificate is UNTRUSTED. It is a self signed certificate. I wonder why. Please see attached screenshot.
07-03-2018 06:23 AM
Hey Rahul,
Thanks for the assistance thus far.
So when I issued the command "show capture capo", it started working for some weird reasons I can't explain. I could access https://71.71.xx.xx. One more worry for me is the Warning message I get from the "Cisco AnyConnect Mobility Client" itself saying the server certificate is UNTRUSTED. It is a self signed certificate. I wonder why. Please see attached screenshot.
07-03-2018 07:03 AM
This is expected. Self signed certificates are generated by the ASA and not trusted inherently by the operating system. Anyonnect (or any SSL/TLS client) checks for at least 4 things on the server certificate during SSL handshake:
1) Date/Validity
2) URL that you accessed matches the Subject Name or Subject Alternate Name of the certificate
3) Issued by a CA or sub CA whose certificate is on the trusted CA certificate store of the OS/browser
4) Key usage and extended Key usage matches what the certificate is being used for. EKU usually has to be completely empty or at least "Server Authentication" for server side certs.
In the case of self signed, conditions 2 and 3 are almost always not matched. The default self signed certificate would have name as "hostname.domain-name" of the ASA and is issued by itself.
For you to avoid the cert warning, do this:
1) Register a DNS name for your public IP- like vpn.domain-name.com
2) Get a certificate from a trusted third party CA like GoDaddy or Verisign for the name that you registered above.
3) Install the cert and CA cert on the ASA and link it to your outside interface.
4) Access VPN using vpn.domain-name.com
You can refer to this Cisco document that my colleague and I wrote on digital certificate installation and renewal on the ASA:
Hope this helps.
07-09-2018 05:26 AM
Thanks for the Support Rahul.
Really Appreciate!
09-15-2018 05:46 AM
Thanks for the reference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide