Cannot use Anyconnect

Lajja1234 · ‎04-24-2013

Hi!

My problem is that Anyconnect is not working.

I have 2 ASA. One working as a firewall and one working as a "VPN-Machine". The VPN-Machine is behind the firewall. When I am on the inside of the firewall the VPN works but not when i go outside of the firewall.

The only error I get from the anyconnect client is that the connection has timed out. I can not reach the website https://x.x.x.x.

I have made accessrule on the firewall allowing outside to connect to https://x.x.x.x then I have NATted the adress to the internal adress the VPN-Machine is using.

Any suggestion on whats wrong?

/Lajja

Lajja1234 · ‎04-24-2013

I do get hits on the rule on the firewall.

/Lajja

Andrew Phirsov · ‎04-24-2013

If i understood you correctly, you're trying to use SSLVPN. That means that you should only allow on your firewall access from the outside to the 443/tcp (the default) on the IP address of your SSLVPN-server.

Check if you're using pre-natted ACEs in your ACL if using ASA OS post 8.2 version, or post-natted when using older versions of the OS.

Lajja1234 · ‎04-24-2013

I do only want to use the Anyconnect client, the webpage is only being used for testing.

I am using a static nat on the firewall. The fw i running ASA version 8.0.

/Lajja

Andrew Phirsov · ‎04-24-2013

If the x.x.x.x is the public ip, then the ACE, wich allows access to the VPN-gateway, should use this IP with 8.0 software. Could you provde the config of your ACL and nat rules?

Lajja1234 · ‎04-24-2013

The x.x.x.x is the public IP and the rule is using public IP.

access-list outside-IN extended permit tcp any host x.x.x.x eq https

static (VPN_Out,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

/Lajja

Andrew Phirsov · ‎04-24-2013

This looks fine. VPN_ASA uses the firewall's VPN_Out IP as it's default gateway?

Lajja1234 · ‎04-24-2013

Yes it does.

/Lajja

Andrew Phirsov · ‎04-24-2013

I think that's because you're accessing the default webpage, that's used for asdm/http management. In this case access is blocked, cause there's no http statement (wich controlls access to it) configured, allowing access to the device from the outside IPs.

Lajja1234 · ‎04-24-2013

It is working from Inside the Firewall.

I tried to add http to the ACL rule but it didn't work.

/Lajja

peter.ferl · ‎04-24-2013

What ASAs to you have?

How many outside IPs do you have?

I would really think about your design .....

Lajja1234 · ‎04-24-2013

I have one 5520 and one 5505 and several external IP adresses. The reason I have two is that the 5520 is very old and will be replaced. And we want to try a new vpn solution and thought that anyconnect seems nice.

We do not want to buy extra licenses before we have had the chance to try how anyconnect works.

/Lajja

peter.ferl · ‎04-24-2013

Put the 5505 on the outside network. Configure the 5520 with an additional IF. Connect the 5505 inside to the additional 5520 IF.

Use the 5505 for anyconnect.

Lajja1234 · ‎04-24-2013

Sorry but I can't do that. The firewall cannot be removed at any time.

/Lajja