Solved: ASA Anyconnect VPN not working or downloading VPN client

Ron Mitchell · ‎09-18-2015

I have a Cisco ASA 5505 that I am trying to configure anyconnect VPN and thought I have changed my configuration several times but when trying to access my static public IP of the outside interface IP address to download the image, I am not able to. Also when I do a packet-tracer I see it is being dropped via the acl when packets sourced from out side to the ASA via port 443 it drops due to ACL. So it look like that any thing trying to access the ASA via VPN is going to port 443 is going to my DMZ. Below is my config

XXXX# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname XXXX
domain-name lookup
enable password pFTzVNrKdD9x5rhT encrypted
passwd zPBAmb8krxlXh.CH encrypted
names
!
interface Ethernet0/0
description Outside-interface
switchport access vlan 20
!
interface Ethernet0/1
description DMZ-Uplink
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
description Tacacs+IDS
switchport access vlan 10
switchport monitor Ethernet0/0
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
description Wireless_AP_Loft
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address x.x.x.249 255.255.255.248
!
interface Vlan30
no forward interface Vlan10
nameif dmz
security-level 50
ip address 172.16.30.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name lookup
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network Webserver_DMZ
host 172.16.30.8
object network Mailserver_DMZ
host 172.16.30.7
object network DMZ
subnet 172.16.30.0 255.255.255.0
object network FTPserver_DMZ
host 172.16.30.9
object network Public-IP-subnet
subnet x.x.x.248 255.255.255.248
object network FTPserver
host 172.16.30.8
object network Inside
subnet 192.168.10.0 255.255.255.0
object network VPN_SSL
subnet 10.101.4.0 255.255.255.0
access-list outside_in extended permit tcp any object Mailserver_DMZ eq www log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 587 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq smtp log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq pop3 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 2525 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq imap4 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 465 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 993 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 995 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq 5901 log
access-list outside_in extended permit tcp any object Mailserver_DMZ eq https log
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging trap warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_SSL 10.101.4.1-10.101.4.4 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside Inside destination static VPN_SSL VPN_SSL
nat (outside,inside) source static VPN_SSL VPN_SSL
!
object network obj_any1
nat (inside,outside) static interface
object network Webserver_DMZ
nat (dmz,outside) static x.x.x.250
object network Mailserver_DMZ
nat (dmz,outside) static x.x.x..251
object network DMZ
nat (dmz,outside) static interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HNIC protocol tacacs+
aaa-server HNIC (inside) host 192.168.10.2
timeout 60
key *****
user-identity default-domain LOCAL
aaa authentication http console HNIC
aaa authentication ssh console HNIC
aaa authentication telnet console HNIC
aaa authentication secure-http-client
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto ca trustpoint VPN_Articulate2day
enrollment self
subject-name CN=vpn.articulate2day.com
keypair sslvpnkey
crl configure
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
console timeout 0
no vpn-addr-assign aaa

dhcp-client update dns
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.150 inside
dhcpd enable inside
!
dhcpd address 172.16.30.20-172.16.30.23 dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 192.168.10.2
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy VPN_SSL internal
group-policy VPN_SSL attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
address-pools value VPN_SSL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression deflate
anyconnect ask enable
username ronmitch50 password spn1SehCw8TvCzu7 encrypted
username ronmitch50 attributes
service-type remote-access
tunnel-group VPN_SSL_Clients type remote-access
tunnel-group VPN_SSL_Clients general-attributes
address-pool VPN_SSL
default-group-policy VPN_SSL
tunnel-group VPN_SSL_Clients webvpn-attributes
group-alias VPNSSL_GNS3 enable
tunnel-group VPN_SSL type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

XXXX#

Henrik Grankvist · ‎09-21-2015

You do have this configuration:

object network DMZ
 nat (dmz,outside) static interface

Try and change it to (or delete it):

object network DMZ
 nat (dmz,outside) dynamic interface

View solution in original post

Henrik Grankvist · ‎09-19-2015

Hi

Try configure the VPN with a group URL, for example https://x.x.x.249/vpn.

I've had problems when I've had ASDM reachble via the outside interface, but when using group URL it fixed the problem.

Ron Mitchell · ‎09-21-2015

Thanks, but unfortunately this is still does not work and for some strange reason packet-tracer is telling me that it is failing due to an acl in regards to the DMZ. I have static IP's and I am not using the same IP for my DMZ web server so I am not sure why my asa is natting to the dmz for the asa outside address.

XXXX# packet-tracer input outside tcp 2.3.4.5 443 x.x.x.249 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DMZ
nat (dmz,outside) static interface
Additional Information:
NAT divert to egress interface dmz
Untranslate x.x.x.249/443 to 172.16.30.0/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

XXXX#

Henrik Grankvist · ‎09-21-2015

You do have this configuration:

object network DMZ
 nat (dmz,outside) static interface

Try and change it to (or delete it):

object network DMZ
 nat (dmz,outside) dynamic interface

Ron Mitchell · ‎09-21-2015

I tried deleting that static nat in the past and the only thing it caused was for my DMZ devices to loose access to the internet. I have a public IP space that is a /29, so the outside interface is a public static IP, and my web server is natted to a different public IP as well. So I am not sure why that nat statment is even being used if traffic is coming from the internet to access the public IP of the ASA using port 443 for vpn access.

Regards,