10-14-2018 07:15 PM - edited 02-21-2020 09:29 PM
First of all, thank you to any who respond.
I recently set up an ASA5520 for anyconnect ssl vpn.
It is ONLY being used to terminate the vpn connection; not for firewall, security, etc.
It is using a single interface (named gbe0 in my instance). The asa configuration is completely default except for the changes that were made during the vpn creation wizard in asdm.
Clients can connect to the remote network and access all resources EXCEPT connections coming in through the wan on port 8443 and 7443 (for those of you that know Ubiquiti- yes it is a unifi server).
The resource is hosted on the same network users are connecting to via the vpn. It is natted behind our firewall and accessible from anywhere.
Tl;DR: A resource hosted on port 8443 is being blocked when accessed by the public ip. I.E. users accessing 10.0.0.1:8443 when connected to the vpn have access and can ping that host. However while connected to the vpn, they cannot access x.website.com:8443 (which nats to 10.0.0.1:8443).
Keep in mind, when not connected to the vpn, x.website.com:8443 is accessible. The only troubleshooting I have done thus far is to ping x.website.com:8443 from asdm on the gbe0 interface and it has a 100% success rate.
My assumption would be that the asa is blocking that port
10-14-2018 07:37 PM
Hi,
Start by looking at DNS. When not connected to vpn, what dns server are you using to resolve x.website? When connected to vpn what dns server are you using and can you resolve x.website.
Thanks
John
10-14-2018 07:43 PM - edited 10-14-2018 07:46 PM
John:
Thanks for your reply.
I should have been more clear. Everything is resolvable globally via dns. This site has a single ip and all services are running on different ports. This site also hosts many natted services.
E.g. exchange is another service being natted (among many) and is accessible while connected to the vpn. As I said, the services on 8443 and 7443 are the only ones being blocked. I have run same-security-traffic permit intra-interface in global conf mode.
Edit: I redact my statement about it blocking 8443 and 7443. Obviously if it allows 10.0.0.1:8443, then it shouldnt be blocking it. It is only with x.website:8443. I see why you are going after dns.
Brent
10-14-2018 07:50 PM
When circumventing dns and accessing via the public ip ie. 20.1.0.1:8443, it is still blocked.
10-14-2018 08:00 PM
Hi,
try to run packet-tracer and see where the failure is
Thanks
John
10-14-2018 08:09 PM
Hi:
I did. The packet was allowed.
I am beginning to uncover what it happening.
I run split dns (eg. with the exchange host). so it is able to access that resource locally when connected to the vpn.
As I stated, there is a single public ip. While connected to the vpn:
I CAN enable the services by just creating the proper split dns to the local ip, but I haven't done it that way before and prefer not to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide