Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
3
Replies

ASA5506 cannot connect to VPN from outside

viktar
Level 1
Level 1

‎11-06-2020 10:00 AM

Hello All!

First of all, I'm new in Cisco firewalls but moderate in os and network configurations.

Our company is using ASA 5506 firewall and it works fine for most of it. Trying to setup remote access to our local network managed by Windows Server OS. Decided to go with AnyConnect. Went through the wizard ok. Even got AAA Server with RADIUS protocol working with our domain. The issue that I can connect to VPN from inside interface using local IP address but cannot connect from outside using our static public IP address (I don't use IPsec, just SSL). I can connect to firewall from outside using ASDM with no issues, so IP is correct. 

Please let me know if I missed any step(s).

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

viktar
Level 1
Level 1

‎11-06-2020 10:12 AM

Just in case, running configuration:

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname XXXXXX
enable password
names
ip local pool TW-VPN-POOL 10.X.X.201-10.X.X.250 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address Y.Y.Y.Y 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.X.X.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Mitel587
host 10.X.X.80
object network FTP_Server
host 10.X.X.29
object network NETWORK_OBJ_10.X.X.96_30
subnet 10.X.X.96 255.255.255.252
object network NETWORK_OBJ_10.X.X.192_26
subnet 10.X.X.192 255.255.255.192
access-list outside_access_in extended permit tcp any object Mitel587 eq 587
access-list outside_access_in extended permit tcp any object FTP_Server eq ftp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.X.X.96_30 NETWORK_OBJ_10.X.X.96_30 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.X.X.192_26 NETWORK_OBJ_10.X.X.192_26 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network Mitel587
nat (any,outside) static interface service tcp smtp smtp
object network FTP_Server
nat (any,inside) static interface service tcp ftp ftp
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.Y.Y.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server TW_VPN protocol radius
aaa-server TW_VPN (inside) host 10.X.X.3
key *****
radius-common-pw *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.X.X.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint VPN_Cert
enrollment terminal
subject-name CN=ciscoasa
keypair AAAA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair AAAA
crl configure
crypto ca trustpoint FTP_cert
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint TW-VPN-Cert
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate fcb47e5f
308202d4 308201bc a0030201 020204fc b47e5f30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 32303130 32373138 31343338
5a170d33 30313032 35313831 3433385a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cd
0183760c b83866cd 7697d71c d9af31a6 0fac7b94 8651cbac 816b5741 762376f1
70c1d3ee 072c3b1c fd018e7b 6dca7afe 6f95bcf7 0169fd1f aea229da 7366ca20
0acc6efe 7bec592d a16345b6 07094503 7ce66ccc 5b32afda 60b6066e c27aa69b
0a4e8d4f ded0e4ee 950f2623 57490983 1e330e1c ae947fd6 6af01bc8 7c2bb5e7
f1ff21f4 9aedcf4f 2563b1b0 b5eb0806 07c5d2a5 c57a8f89 dd639216 ee09cc01
8ed348aa fe16523d 417701df 00ae9b7f 72b72083 dddf7355 c6b1e57a 938458c8
d204739f 12c92816 44bf7733 62dc331c 4729d364 8f2e3921 090e77a0 6424ba81
130af86e eb2ca0b2 9a420cd7 aebf3fec ee4dc000 12019e5e 1509cbfc 47ffcf02
03010001 300d0609 2a864886 f70d0101 05050003 82010100 3630ffd5 88fbca10
b62512c8 6d667a86 96cc4f9f 8d727ae9 6d00582a 8808b42f d87b0cba f2d7b595
145f0116 af0f7b68 111fe154 b942a34b b28eb051 ad44d772 8e57d692 c5341c79
e9305b8d ab168522 1c1398b6 39ef8ffc 06c0bc22 1f580037 fb3438b2 b7a0a15c
b646d6ba b930a3df 0f8c7eda b4ae4b91 f8653d80 745fae88 c6e5994f 4ffba53f
6fdbe087 4f7dc107 16153ae8 a387ff1c 27b436ca 41a5ce02 0fb0db2c 74de2f57
acffa25a ed49c3df 34a8e09f 16338e7b 7d802e9e f55682ef 969fad4e d85bc66e
dbaca1a3 b2779830 b0c94336 b391d873 53853131 95bb8906 98423462 33d34c5b
4d104d47 585e438a 28185f6a a0239329 d035ded5 599c2ccc
quit
crypto ca certificate chain FTP_cert
certificate fdb47e5f
308202d4 308201bc a0030201 020204fd b47e5f30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 32303130 32383138 32373336
5a170d33 30313032 36313832 3733365a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100d6
c61517fe 8fed2080 291cff49 db318e13 16c35a2a ae5a9da8 defeb37d 84908e29
86c21b28 696153bc 3736137e 2059e305 d8852b19 6d031cb5 10afb2ef 975f2c99
45b202c8 42b8ff9d 2e1fafb7 839d3c2f 223c3791 e76feaa9 41915a3b 633557fa
93afc296 45fdb470 0c1451a1 faf954cc b6a22c86 8c5467c7 6be435d1 ba476944
f4f82620 e4dda93b d09ade0f 39e2d983 104e245c 18ee2182 323190f1 97a5e21d
992ba361 90b1ec81 d6ef3319 ef79a553 51cf3d63 d90886fb 6ed12fc2 00f7e28b
82c4aa6a 9fb31980 077fbcf9 77d699d9 8c0645ec 7c542deb 0cb873d3 e750901b
2adf9f8f 2eb56375 2d8d9dd3 194152da 7b5eb6b0 7db178a6 738e9198 92452302
03010001 300d0609 2a864886 f70d0101 05050003 82010100 76efbb89 9baff66c
a2903c85 9d072e93 e2ed9949 87f249b4 39c99f83 c4df11fb b0af6b65 56aa5e5a
28a63f28 56582330 20b9ddfc 4daf9a57 1f210450 ff9cce56 1ce78485 6198f081
42604794 c71ddc47 96d8f074 f79ae261 ac4b2e21 82b7d850 0d588dd0 8c1a9131
6588bf5f acd2bc7b 208fd056 c9a9b314 273f5955 3928c1a4 b140c00c c70fa078
ee78b783 dcf6427a 3af4677d b555a8b5 2fe8894a 0e02f734 e2acec64 04cf0041
9e14a31d e96b8874 f22d9c7c 203b6fcf 715814f5 9cbbcf33 0d48cd84 9eeccbc0
a15d69ac fc922711 a37f83a4 9e3fa66e 3ef51a3f 38b8f23e bf5f8411 74e044b4
bfaaafbd 296042bd 5079e053 274bb9f6 7d8bfcd7 07169d55
quit
crypto ca certificate chain TW-VPN-Cert
certificate 9d64a45f
308202d4 308201bc a0030201 0202049d 64a45f30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 32303131 30363137 32373436
5a170d33 30313130 34313732 3734365a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100d6
c61517fe 8fed2080 291cff49 db318e13 16c35a2a ae5a9da8 defeb37d 84908e29
86c21b28 696153bc 3736137e 2059e305 d8852b19 6d031cb5 10afb2ef 975f2c99
45b202c8 42b8ff9d 2e1fafb7 839d3c2f 223c3791 e76feaa9 41915a3b 633557fa
93afc296 45fdb470 0c1451a1 faf954cc b6a22c86 8c5467c7 6be435d1 ba476944
f4f82620 e4dda93b d09ade0f 39e2d983 104e245c 18ee2182 323190f1 97a5e21d
992ba361 90b1ec81 d6ef3319 ef79a553 51cf3d63 d90886fb 6ed12fc2 00f7e28b
82c4aa6a 9fb31980 077fbcf9 77d699d9 8c0645ec 7c542deb 0cb873d3 e750901b
2adf9f8f 2eb56375 2d8d9dd3 194152da 7b5eb6b0 7db178a6 738e9198 92452302
03010001 300d0609 2a864886 f70d0101 05050003 82010100 75a1b782 94269481
415329a8 f4b9fd1d 45c016aa 041ff3b8 e99f4b9c ef8ef453 745f7170 e2e06c65
59c98600 9ccfe570 cc25c198 de69548c b7033abf 60b1dbaa 58756224 56920240
30d82002 28856317 bd85b2a7 b1fef33a 481d791d 36753819 900c0710 8bd36170
2dfc15d4 1553eedc c6ce04e3 e7503bf7 b7b62a70 f9b4e6b9 58a1bee0 1dc868b2
cb9e07d4 a8521a23 feb4b70c 7949a913 afcf7fb5 f3468c27 1712a3cc 37872c09
1f843b71 6e90e4a3 36749792 fc608f45 912185f0 29d8e41a 8c410e25 6403919d
567d3943 bc1230b8 99de596d cb755940 fd7cbeff fc337e1c 92128539 01ad2fdd
af3fe23c 7fc7801d 7036ad0a 0ac47c42 43dd11cb 2e2d1647
quit
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign local

dhcpd auto_config outside
!
dhcpd dns 24.226.1.95 8.8.8.8 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.0 source outside prefer
ntp server 216.239.35.4 source outside
ntp server 216.239.35.8 source outside
ntp server 216.239.35.12 source outside
ssl trust-point TW-VPN-Cert outside
ssl trust-point TW-VPN-Cert inside
webvpn
enable outside
enable inside
anyconnect image disk0:/Anyconnect/anyconnect-win-4.9.01095-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 10.X.X.3
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value TW
group-policy GroupPolicy_TRIWAY-VPN internal
group-policy GroupPolicy_TRIWAY-VPN attributes
wins-server none
dns-server value 10.X.X.3
vpn-tunnel-protocol ssl-client
default-domain value TW.local
dynamic-access-policy-record DfltAccessPolicy
username testvpn password nCx3vjbhK8pGV0KL encrypted
username twadmin password p.tN1xL.HcCXHckG encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group TW_VPN
dhcp-server 10.X.X.3
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group TW_VPN
dhcp-server 10.X.X.3
tunnel-group TRIWAY-VPN type remote-access
tunnel-group TRIWAY-VPN general-attributes
address-pool TW-VPN-POOL
default-group-policy GroupPolicy_TRIWAY-VPN
dhcp-server 10.X.X.3
tunnel-group TRIWAY-VPN webvpn-attributes
group-alias TRIWAY-VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8f83b4ae8d14b687d6b545eb1ca55067
: end
no asdm history enable

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-06-2020 10:17 AM - edited ‎11-06-2020 10:20 AM

if you like to remote users to login you need to use outside Public IP address  - since we are not sure what kind of error you getting it is hard to imagine what went wrong.

 

suggest look below guide step by step and try outside connecting. (still has issue post the configuration)

 

https://www.petenetlive.com/KB/Article/0000069

Good video

 

https://www.youtube.com/watch?v=-KY7MF016P4

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SSL Remote VPN on Cisco ASA by GUI (Cisco ASDM)_Part01
SSL Remote VPN on Cisco ASA by GUI (Cisco ASDM)_Part01
youtube.com/watch?v=-KY7MF016P4
in this video i want to show all of you about : VPN Remote Access on Cisco ASA with Cisco Anyconnect by GUI. for more video : https://www.youtube.com/channel/UCrpVZG9R8l7-qRwA1qZBw0w
0 Helpful

viktar
Level 1
Level 1
In response to balaji.bandi

‎11-06-2020 12:29 PM

Hello BB,

 

Thanks for a quick respond. Apparently, I was ably to connect after restarting the firewall.

Will test further for any issues.

0 Helpful
Customers Also Viewed These Support Documents