ā04-24-2013
01:10 AM
- last edited on
ā02-21-2020
11:53 PM
by
cc_security_adm
Hi!
My problem is that Anyconnect is not working.
I have 2 ASA. One working as a firewall and one working as a "VPN-Machine". The VPN-Machine is behind the firewall. When I am on the inside of the firewall the VPN works but not when i go outside of the firewall.
The only error I get from the anyconnect client is that the connection has timed out. I can not reach the website https://x.x.x.x.
I have made accessrule on the firewall allowing outside to connect to https://x.x.x.x then I have NATted the adress to the internal adress the VPN-Machine is using.
Any suggestion on whats wrong?
/Lajja
ā04-24-2013 01:12 AM
I do get hits on the rule on the firewall.
/Lajja
ā04-24-2013 01:25 AM
If i understood you correctly, you're trying to use SSLVPN. That means that you should only allow on your firewall access from the outside to the 443/tcp (the default) on the IP address of your SSLVPN-server.
Check if you're using pre-natted ACEs in your ACL if using ASA OS post 8.2 version, or post-natted when using older versions of the OS.
ā04-24-2013 01:29 AM
I do only want to use the Anyconnect client, the webpage is only being used for testing.
I am using a static nat on the firewall. The fw i running ASA version 8.0.
/Lajja
ā04-24-2013 01:42 AM
If the x.x.x.x is the public ip, then the ACE, wich allows access to the VPN-gateway, should use this IP with 8.0 software. Could you provde the config of your ACL and nat rules?
ā04-24-2013 01:53 AM
The x.x.x.x is the public IP and the rule is using public IP.
access-list outside-IN extended permit tcp any host x.x.x.x eq https
static (VPN_Out,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
/Lajja
ā04-24-2013 02:02 AM
This looks fine. VPN_ASA uses the firewall's VPN_Out IP as it's default gateway?
ā04-24-2013 02:06 AM
Yes it does.
/Lajja
ā04-24-2013 02:16 AM
I think that's because you're accessing the default webpage, that's used for asdm/http management. In this case access is blocked, cause there's no http statement (wich controlls access to it) configured, allowing access to the device from the outside IPs.
ā04-24-2013 02:21 AM
It is working from Inside the Firewall.
I tried to add http to the ACL rule but it didn't work.
/Lajja
ā04-24-2013 04:35 AM
What ASAs to you have?
How many outside IPs do you have?
I would really think about your design .....
ā04-24-2013 04:44 AM
I have one 5520 and one 5505 and several external IP adresses. The reason I have two is that the 5520 is very old and will be replaced. And we want to try a new vpn solution and thought that anyconnect seems nice.
We do not want to buy extra licenses before we have had the chance to try how anyconnect works.
/Lajja
ā04-24-2013 04:55 AM
Put the 5505 on the outside network. Configure the 5520 with an additional IF. Connect the 5505 inside to the additional 5520 IF.
Use the 5505 for anyconnect.
ā04-24-2013 06:34 AM
Sorry but I can't do that. The firewall cannot be removed at any time.
/Lajja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide