Re: ASA AnyConnect SSL blocking specific ports

bas2 · ‎10-14-2018

First of all, thank you to any who respond.

I recently set up an ASA5520 for anyconnect ssl vpn.

It is ONLY being used to terminate the vpn connection; not for firewall, security, etc.

It is using a single interface (named gbe0 in my instance). The asa configuration is completely default except for the changes that were made during the vpn creation wizard in asdm.

Clients can connect to the remote network and access all resources EXCEPT connections coming in through the wan on port 8443 and 7443 (for those of you that know Ubiquiti- yes it is a unifi server).

The resource is hosted on the same network users are connecting to via the vpn. It is natted behind our firewall and accessible from anywhere.

Tl;DR: A resource hosted on port 8443 is being blocked when accessed by the public ip. I.E. users accessing 10.0.0.1:8443 when connected to the vpn have access and can ping that host. However while connected to the vpn, they cannot access x.website.com:8443 (which nats to 10.0.0.1:8443).

Keep in mind, when not connected to the vpn, x.website.com:8443 is accessible. The only troubleshooting I have done thus far is to ping x.website.com:8443 from asdm on the gbe0 interface and it has a 100% success rate.

My assumption would be that the asa is blocking that port

johnd2310 · ‎10-14-2018

Hi,

Start by looking at DNS. When not connected to vpn, what dns server are you using to resolve x.website? When connected to vpn what dns server are you using and can you resolve x.website.

Thanks

John

**Please rate posts you find helpful**

bas2 · ‎10-14-2018

John:

Thanks for your reply.

I should have been more clear. Everything is resolvable globally via dns. This site has a single ip and all services are running on different ports. This site also hosts many natted services.

E.g. exchange is another service being natted (among many) and is accessible while connected to the vpn. As I said, the services on 8443 and 7443 are the only ones being blocked. I have run same-security-traffic permit intra-interface in global conf mode.

Edit: I redact my statement about it blocking 8443 and 7443. Obviously if it allows 10.0.0.1:8443, then it shouldnt be blocking it. It is only with x.website:8443. I see why you are going after dns.

Brent

bas2 · ‎10-14-2018

When circumventing dns and accessing via the public ip ie. 20.1.0.1:8443, it is still blocked.

johnd2310 · ‎10-14-2018

Hi,

try to run packet-tracer and see where the failure is

Thanks

John

**Please rate posts you find helpful**

bas2 · ‎10-14-2018

Hi:

I did. The packet was allowed.

I am beginning to uncover what it happening.

I run split dns (eg. with the exchange host). so it is able to access that resource locally when connected to the vpn.

As I stated, there is a single public ip. While connected to the vpn:

I am able to access the ssl vpn via the public ip - 20.x.x.x:10443
I cannot access any other resource publicly natted - 20.x.x.x:80,443,8443,7443, etc.

I CAN enable the services by just creating the proper split dns to the local ip, but I haven't done it that way before and prefer not to.