03-19-2012 09:43 AM - edited 02-21-2020 05:57 PM
I have an ASA5510 that I am trying to set up for remote access using SSL VPN with the anyconnect client. I have followed the config guides on the Cisco website as well as the config guides elsewhere on the internet to no avail.
When going to https://(outsdie interface ip address),I get nothing, the browser never loads a page. Here are the commands I have entered:
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3046-k9.pkg 1
svc image disk0:/anyconnect-macosx-powerpc-2.5.3046-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.5.3046-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy VRx-WebVPN internal
group-policy VRx-WebVPN attributes
dns-server value 192.168.100.11
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value vrx.net
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group VRx-WebVPN type remote-access
tunnel-group VRx-WebVPN general-attributes
address-pool value vpn_pool
authentication-server-group VRxAD
default-group-policy VRx-WebVPN
tunnel-group VRx-WebVPN webvpn-attributes
group-alias VRx-WebVPN enable
Has anyone ever seen this before---any ideas or what would be helpful in troubleshooting this further?
Thank you in advance!
Dave
Solved! Go to Solution.
03-19-2012 12:28 PM
Hello David,
Hmm.. I am going to do a real quick lab setup for this.
Edit: Mine work with no problem, there got to be something else on the configuration that is no allowing you to get the anyconnect portal.
I used the same anyconnect image and same ASA image.
Julio
03-19-2012 09:45 AM
Did you assign ssl trustpoint to the outside interface?
03-19-2012 09:47 AM
No, that wasn't mentioned in Cisco setup doc. How would I do that?
03-19-2012 11:18 AM
Hello David and Roman,
That step is no necesary as the ASA will use its own and automatic ssl certificate on its interfaces but just to let you know its like this.
Lets give it a try and see if that makes a difference but it should not.
1- First lets create our own certificate
-crypto ca trustpoint #%^#@@ ( whatever name you want to use)
-enrollment self
2- Enroll to the new certificate
-crypto ca enroll #%^#@@
3- Assigned the new trustpoint to the outside interface
-ssl trustpoint #%^#@@ outside
Regards,
Julio
03-19-2012 11:31 AM
Thanks for the quick responses. I added the trustpoint but there was no change. So I turned on logging and got the following:
Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:07: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:10: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/41263 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/49580 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 17:15:16: %ASA-4-106023: Deny tcp src outside:(my public)/58353 dst inside:(ASA outside inteface IP)/443 by access-group "outside-in" [0x0, 0x0]
Then I added the following commands:
sysopt connection permit-vpn - no change - not sure if takes the command because I can't see it in "show run | inc sysopt"
access-list outside-in extended permit tcp any host(ASA outside inteface IP) eq https - no more errors like above but same issue on ssl vpn connection.
Is the firewall hosed or am I still missing something?
03-19-2012 11:37 AM
If you do a show run all syspot you should see it.
Can you share your sh version
Regards
03-19-2012 11:45 AM
There it is! Found the sysopt command.
Show ver:
ASA up 14 hours 34 mins
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 5475.d0ba.637a, irq 9
1: Ext: Ethernet0/1 : address is 5475.d0ba.637b, irq 9
2: Ext: Ethernet0/2 : address is 5475.d0ba.637c, irq 9
3: Ext: Ethernet0/3 : address is 5475.d0ba.637d, irq 9
4: Ext: Management0/0 : address is 5475.d0ba.6379, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
03-19-2012 11:45 AM
rest of it:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.3(4)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
03-19-2012 11:49 AM
Hello David,
Glad you found the syspot command,
Please do a debug for the webvpn and then try to access the Anyconnect portal:
debug webvpn svc 255
Regards,
Do rate all the helpful posts
Julio
03-19-2012 12:02 PM
Same thing:
Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:41: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:44: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/23013 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/8321 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:02:50: %ASA-4-106023: Deny tcp src outside:(my public)/37752 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:03:02: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:03:05: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
Mar 19 2012 18:03:11: %ASA-4-106023: Deny tcp src outside:(my public)/63310 dst inside:(ASA outside interface IP)/443 by access-group "outside-in" [0x0, 0x0]
03-19-2012 12:28 PM
Hello David,
Hmm.. I am going to do a real quick lab setup for this.
Edit: Mine work with no problem, there got to be something else on the configuration that is no allowing you to get the anyconnect portal.
I used the same anyconnect image and same ASA image.
Julio
04-02-2012 03:57 AM
Please provide "show ssl" output results.
I've seen that problem when only AES was configured as cipher suite
04-02-2012 08:22 AM
ASA# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
outside interface: localtrust
Certificate authentication is not enabled
04-16-2012 04:00 PM
I finally resolved this issue. I found that there were a few nat statements in my config leftover from a previous engineer:
static (inside,outside) tcp xxx.xxx.xxx.xxx https xxx.xxx.xxx.xxx https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx http xxx.xxx.xxx.xxx http netmask 255.255.255.255
I removed those statements and then ran the "show asp table socket" command. It showed that ssl was NOT listening on the outside interface but it was on the inside.
I ran the "no http server enable" command.(most likely not needed) Then under webvpn the " no enable outside" and then "enable outside" to refresh it.
At this point the "show asp table socket" command showed the outside interface listening for ssl. Then my ssl connections WORKED!!!
Thanks for all your help on this!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide