02-24-2021 02:10 AM
Hello everybody,
I am configuring AnyConnect on customer's ASA5506 (9.12(4)) an as I want to
turn on SSL-VPN on the outside interface I got this:
cisco-asa-moers(config-webvpn)# enable outside ? webvpn mode commands/options: tls-only Specifies that only TLS is to be enabled. DTLS is disabled. <cr> cisco-asa-moers(config-webvpn)# enable outside ERROR: Port 443 on outside can not be configured due to conflict INFO: WebVPN and DTLS are disabled on 'outside'.
I had changed the port for the web server before to 8443 for the ASDM and it
is working fine with this port:
http server enable 8443
I don't know why I have a conflict at the usage of port 443.
What would you do to prevent this conflict?
Attached you find the (adapted) configuration of the ASA.
Every hint is welcome!
Thanks a lot!
R.
02-24-2021 02:17 AM
You've got a static NAT on the outside interface for tcp/443 (https).
If you've got a spare public IP address change that NAT to use that spare IP address instead, or use TLS RAVPN on another port or use IKEv2/IPSec instead of TLS.
HTH
02-24-2021 04:23 AM
Hi Rob,
thanks for the fast reply!
I overlook this NAT
Now I did the following:
cisco-asa-moers(config-webvpn)# port ? webvpn mode commands/options: <1-65535> The WebVPN server's SSL listening port. TCP port 443 is the default. cisco-asa-moers(config-webvpn)# port 444 cisco-asa-moers(config-webvpn)# enable outside INFO: WebVPN and DTLS are enabled on 'outside'.
I think this should work when the users enter
https://<outside IP>:444
in the AnyConnect client, right?
Thanks!
Bye
R.
02-24-2021 04:30 AM
If using AnyConnect you don't need to specify https://, just ipaddress:444 or fqdn:444
02-24-2021 05:34 AM
Hi Rob,
unfortunately it does not work. When I try to login via AnyConnect client 4.9 with:
<outside IP>:444
I get the window for entering username and password.
When I enter LOCAL username and password I just get a 'Login failed' message.
In the logging I don't see something as usual!
I made a capture and I see the ASA is using port 8443 instead 444!
These are the relevant config lines:
http server enable 8443 http server idle-timeout 30 ... webvpn port 444 enable outside hsts enable max-age 31536000 include-sub-domains no preload anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 3 anyconnect enable tunnel-group-list enable cache disable error-recovery disable ... tunnel-group AnyConnect(Moers) type remote-access tunnel-group AnyConnect(Moers) general-attributes address-pool VPNPOOL authentication-server-group (inside) nalvonminden authorization-server-group nalvonminden authorization-server-group (inside) nalvonminden default-group-policy GroupPolicy_AnyConnect(Moers) authorization-required tunnel-group AnyConnect(Moers) webvpn-attributes group-alias AnyConnect(Moers) enable group-alias AnyConnet(Moers)_Port444 enable group-url https://<outside IP>:444 enable !
Do you have an idea why the ASA is using port 8443 instead 444?
Thanks a lot!
Bye
R.
02-24-2021 06:00 AM
This works
tunnel-group RAVPN webvpn-attributes
group-url https://1.1.1.3:444/RAVPN
And in AnyConnect use 1.1.1.3:444/RAVPN
02-24-2021 07:03 AM
Hi Rob,
even after realizing your new configuration proposal it does not work unfortunately
when I enter in the AnyConnect client:
https://<outside IP>:444/AnyConnect(Moers)
or
<outside IP>:444/AnyConnect(Moers)
Again "Login failed" with LOCAL user/password.
The capture shows that the ASA is using port 8443 instead of 444.
I had never such problems with AnyConnect before.
I don't see something of the tunnel establishment in the logging, just in the capture.
Do you have still any idea to solve this issue?
Thanks a lot!
Bye
R.
02-25-2021 09:29 AM
same here have you found the solution?
02-27-2021 06:44 PM
Try reset the asa this may solve issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: