Re: ASA Remote-Access VPN outside Interface

Juni · ‎07-23-2023

Hi,
I am trying to configure remote access VPN, am able to access the ASA via mgmt interface but am not able to access it via outside interface any ideas?

Topology is like PC -> ASA > Router (Loopback as Server1 and Server2)
PC and ASA both are connected with AD DC for domain lookup

PC IP is 10.1.1.2
ASA outside IP is 10.1.1.1 (not accessible on http)

ASA mgmt IP 192.168.168.100 (accessible on http)

MHM Cisco World · ‎07-23-2023

Simple answer

You can not access outside using anyconnect vpn.

Juni · ‎07-23-2023

I am doing clientless vpn (web based)

Marius Gunnerud · ‎07-23-2023

The same principle applies to clientless VPN. If you want to access the ASA through the outside interface IP...or the interface where VPN is terminated, you would need to send that traffic outside of the VPN (i.e. over the internet)

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎07-23-2023

Even so' vpn is tunnel it end is outside interface of asa' you want access tunnel end via tunnel itself' that not work frpm my view.

If you config

Telnet 0.0.0.0 0.0.0.0 outside

And not use anyconnect you can access asa but that so risky I dont recommendations that at all.

Marius Gunnerud · ‎07-23-2023

Better to use ssh 0 0 outside and not telnet

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎07-23-2023

Are you using tunnel all traffic or split tunnel? If you are using tunnel all, then you will not be able to access the ASA using the outside interface IP. If using split tunnel, you can access the ASA using outside interface but that traffic would would not be encrypted using AnyConnect, but will be encrypted using HTTPS over the internet.

--
Please remember to select a correct answer and rate helpful posts

Juni · ‎07-23-2023

ciscoasa# sh run group-p
group-policy GP internal
group-policy GP attributes
vpn-idle-timeout 1440
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-clientless
ciscoasa#
ciscoasa# sh run tunnel-gr
tunnel-group TGTECH type remote-access
tunnel-group TGTECH general-attributes
default-group-policy GP
tunnel-group TGTECH webvpn-attributes
group-alias FINANCE enable
ciscoasa#
ciscoasa# sh run webvpn
webvpn
enable outside
enable mgmt
tunnel-group-list enable
cache
disable
error-recovery disable
ciscoasa#
ciscoasa# sh run int gi 0/0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
ciscoasa# sh run int gi 0/1
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.1.1.1 255.255.255.0
ciscoasa# sh run int mana 0/0
!
interface Management0/0
nameif mgmt
security-level 100
ip address 192.168.168.100 255.255.255.0
ciscoasa#

ciscoasa# sh run http
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 mgmt
ciscoasa#

MHM Cisco World · ‎07-23-2023

you run http 0.0.0.0 0.0.0.0 ouside
so you want to access asa via asdm via outside (not via anyconnect)
last pieces is ports
asdm use same vpn port 443
change vpn port
https://www.petenetlive.com/KB/Article/0000422

Marius Gunnerud · ‎07-23-2023

You are using tunnel-all so you will not be able to access the ASA via outside interface. If you want access to the ASA outside interface while connected to VPN you will need to use split-tunnel

--
Please remember to select a correct answer and rate helpful posts

Juni · ‎07-23-2023

here is the problem, I just identified, mybad, it was so simple.
As per the configuration the access to the server was http so I was trying to access ASA on http rather it should be via https (asa only support https)

it worked with https:// 10.1.1.1

Thank you so much for replying

Juni · ‎07-23-2023

I was using web browser to access it (web-based, clientless)

MHM Cisco World · ‎07-23-2023

Friend you are so welcome any time

@Juni @Marius Gunnerud have a nice summer

MHM

Juni · ‎07-23-2023

Glad to have you brother @MHM Cisco World you too