Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
0
Replies

ASA5506 Anyconnect no connection

ascii
Level 1
Level 1

‎06-12-2018 06:33 AM - edited ‎03-12-2019 05:21 AM

Hello together,

I recently upgraded from my ASA5505 to a 5506

Everything went well expect the anyconnect connection.

For same reason I can’t connect to the ASA.

Sadly my ISP only give me only private ip with a crappy router. So I have to double NAT. that works fine. I created a port forwarding and set the ASA as a DMZ host.

I taped in the link and dumped the traffic. I can see the anyconnect request coming in and been sent to the ASA. The ASA does not answer to the request and therefor the connection times out.

Maybe someone has a hint for me.

Just for the dump I created more NAT rules to exclude a couple of hosts from the capture.

the same goes for an IPSEC connection.

The full config is attached

 

name 192.168.2.6 SYNO
name 192.168.2.10 SIP-Phone
ip local pool ssl-home 172.30.0.2-172.30.0.12 mask 255.255.255.128
ip local pool ssl-gast 172.30.0.130-172.30.0.140 mask 255.255.255.128

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.0.234 255.255.255.0 

boot system disk0:/asa992-1-lfbff-k8.SPA

access-list VPN-Gast extended deny ip object ssl-pool 192.168.2.0 255.255.255.128 
access-list VPN-Gast extended permit ip object ssl-pool any 
access-list local_access_in extended permit ip any any 
access-list SFR extended permit ip 192.168.2.0 255.255.255.128 any 
access-list SFR extended permit ip any 192.168.2.0 255.255.255.128 
access-list sip-phones_access_in extended permit ip any any log disable 
access-list guest_access_in extended deny ip any 192.168.4.0 255.255.255.248 log disable 
access-list guest_access_in extended deny ip any 192.168.2.0 255.255.255.128 log disable 
access-list guest_access_in extended permit ip any any log disable 
access-list global_access extended permit ip any any log critical inactive 
access-list sip-phones_access_in_1 extended permit ip object SIP-phone any 
access-list guest_access_in_1 extended deny ip 192.168.13.0 255.255.255.0 192.168.14.0 255.255.255.248 log disable 
access-list guest_access_in_1 extended deny ip 192.168.13.0 255.255.255.0 192.168.2.0 255.255.255.128 log disable 
access-list guest_access_in_1 extended permit ip any any 
access-list local_access_in_1 extended permit ip any any 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any any 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list outside_access_in extended permit object-group TCPUDP any 192.168.0.0 255.255.255.0 eq 8443 log alerts 
access-list outside_access_in extended permit icmp any 192.168.0.0 255.255.255.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list sip-phones_access_in_2 extended permit ip any any 
access-list Gi1/4_access_in extended permit ip any any 
access-list Gi1/2_access_in extended permit ip any any 


nat (outside,outside) source static ssl-pool interface
nat (outside,outside) source dynamic ssl-pool interface
nat (outside,Gi1/4) source static ssl-vpn ssl-vpn destination static local local no-proxy-arp route-lookup
nat (outside,any) source static ssl-gast ssl-gast destination static local local no-proxy-arp route-lookup inactive
nat (guest,outside) source static guest-network guest-nat
nat (outside,Gi1/3) source static ssl-gast ssl-gast destination static local local no-proxy-arp route-lookup inactive
nat (outside,sip-phones) source static sipgate-signalisierung sipgate-signalisierung destination static interface SIP-phone service udp-5060 udp-5060
nat (outside,sip-phones) source static sipgate-stun sipgate-stun destination static interface SIP-phone service udp-3478 udp-3478
nat (outside,sip-phones) source static sipgate-01 sipgate-01 destination static interface SIP-phone service udp-3478 udp-3478
nat (outside,any) source static any any destination static interface NAS service tcp-19717 tcp-19717 inactive
nat (outside,any) source static any any destination static interface NAS service udp-19717 udp-19717 inactive
nat (Gi1/4,outside) source static NAS NAS-NAT
nat (outside,Gi1/4) source static any any destination static NAS-NAT NAS
nat (outside,sip-phones) source static sipgate-01 sipgate-01 destination static interface SIP-phone service udp-5004 udp-5004 inactive
nat (sip-phones,outside) source static SIP-phone interface
nat (any,outside) source static 192.168.2.0 interface
nat (Gi1/4,Gi1/4) source static local local destination static local local no-proxy-arp
nat (Gi1/4,outside) source dynamic local interface

access-group outside_access_in in interface outside
access-group Gi1/2_access_in in interface Gi1/2
access-group Gi1/4_access_in in interface Gi1/4
access-group sip-phones_access_in_2 in interface sip-phones
access-group guest_access_in_1 in interface guest
access-group local_access_in_1 in interface local
access-group global_access global

ssl trust-point VPN outside
ssl trust-point VPN Gi1/2
ssl trust-point VPN Gi1/3
ssl trust-point VPN Gi1/4
ssl trust-point VPN sip-phones
ssl trust-point VPN guest
ssl trust-point VPN local
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 guest vpnlb-ip

webvpn
 port 443
 enable outside
 enable Gi1/4
 enable local
 dtls port 443
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.6.00362-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.6.00362-webdeploy-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable

group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 banner value welcome home
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 default-domain value vpn.dom
 address-pools value ssl-home ssl-gast
group-policy ipsec-test internal
group-policy ipsec-test attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 
 default-domain value guest.dom
dynamic-access-policy-record DfltAccessPolicy
username mobile-device password XYZ encrypted
username mobile-device attributes
 vpn-simultaneous-logins 3
 service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ssl-home
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool (outside) ssl-home
 address-pool ssl-home
 default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
 group-alias home enable

 

 

Labels:
Preview file
20 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents