Solved: Re: VPN stopped working after ISP change

jsf · ‎08-16-2018

Hello,

I will preface my question with the following information, I am quite new the Cisco world and still use the ASDM for most of configuration changes with some command line experience.

ASA-5508-X / v9.7(1)4

I’ve been running this ASA on a secondary network for a week and it has been running flawlessly. I successfully configured the remote client VPN using AnyConnect and the Clientless SSL VPN and it worked on the lab bench when connecting from an outside network.

After switching the ASA to new outside connection (new ISP), the VPN stopped working. Right now, I’m focusing on the clientless SSL VPN. Port 443 is open and listening, but the ASA fails to respond to connection requests.

Where should I be looking to troubleshoot this problem?

Thank you.

Rob Ingram · ‎08-17-2018

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

HTH

View solution in original post

Rob Ingram · ‎08-16-2018

Hi,
Can you access the internet from behind the ASA? Can you ping something (8.8.8.8) from the ASA itself?

When you changed the ASA to the new isp connection, did you change the ip address of the outside interface? Did you modify the default route to point to the correct next hop?

Perhaps you could upload you configuration for review?

HTH

jsf · ‎08-16-2018

Hi RJI,

I current have 20 users testing it and everyone has access to internet, and no problems pinging that address.

The new ISP assigns "static" IP's dynamically, so my change was to switch the outside interface to use DHCP. I did not modify anything past that.

I'll edit this post shortly with the config.

Rob Ingram · ‎08-16-2018

Ok, do you have an FQDN and does that resolve the new IP address? Or does the users just connect to the public IP address?

jsf · ‎08-16-2018

Just using the public IP.

Config:


Result of the command: "show running-config"

: Saved

: 
: Serial Number: <serialnumber>
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.7(1)4 
!
hostname <hostname>
domain-name <domainname>
enable password <enablepassword>
names

!
interface GigabitEthernet1/1
 description Main outside interface
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name <domainname>
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service SMB30
 service tcp source eq 445 destination eq 445 
 description SMB30
object-group service Microsoft tcp
 description Microsoft Specific Services
 port-object eq 445
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 172.16.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint_SelfSigned
 enrollment self
 fqdn vpn.##.##
 subject-name CN=vpn.##.##
 keypair <keypair>
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint_SelfSigned
 certificate ...
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain <dhcpdomain>
!
dhcpd address 172.16.2.100-172.16.2.254 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint_SelfSigned outside
webvpn
 enable outside
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value <localservername>
dynamic-access-policy-record DfltAccessPolicy
username <username>
tunnel-group <tunnel-group> type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:303b8abb64fc5ecb67e8695e57a66614
: end

Rob Ingram · ‎08-16-2018

Have you removed some config for the group-policy and tunnel-group? Do you have defined the vpn-tunnel-protocol to use e.g ssl-clientless? I don't see it in the output

jsf · ‎08-16-2018

If you don't see it, then I'm guessing not. I use thed included ADSM VPN "Wizard" to configure the VPNs.

Would the Wizard failed to create those entries? Regardless, what would you recommend as a next step?

Thank you

Rob Ingram · ‎08-16-2018

If you check the Default Group Policy under the General section (from memory) ensure the Clientless SSL tunnel protocol is selected.

jsf · ‎08-16-2018

Yes, Clientless SSL VPN is selected, along with IPSec IKEv1 and 2 and L2TP.

Rob Ingram · ‎08-16-2018

Ok, does the tunnel-group actually reference that GP? Are there any other GP's?

Aside from the ASA configuration, assuming only the outside ip address has changed, is it likely the ISP has an ACL and filtering traffic? Do you see anything in the ASDM logs indicating an inbound connection attempt?

jsf · ‎08-16-2018

Only a single GP, and yes it is referenced.

I've got a ticket in with the ISP to see if they are indeed blocking port 443, or if there is another layer in front of the ASA listening on port 443.

Thanks for your help btw.

jsf · ‎08-16-2018

So no port blocking from the ISP, but the support technician didn't seem all that sure.

That being said, would setting up a simple port forward for one of local webservers be a good test to see if the ISP is blocking traffic?

If so, can you recommend a good guide on how to port forward 80 to specific machine on our network?

Thank you,

Rob Ingram · ‎08-16-2018

Here is an example of a static nat. You reference the private ip address in the ACL rule

object network SRV1
host 192.168.10.5
nat (i,o) static 1.1.1.10
access-list OUTSIDE->IN permit tcp any host 192.168.10.5 eq 80

Run a packet capture on the ASA and make sure you can actually see the traffic inbound.

HTH

jsf · ‎08-17-2018

Hi RJI,

I managed to get port forwarding working with one of our local web servers and can access it from the outside world. The command-line interface is definitely superior. Still having VPN issues, but at least I know that the ISP is not port blocking.

I will find a guide to walk me a through VPN setup via CLI. Do you have one you can recommend?

Thanks for all your help.

Rob Ingram · ‎08-17-2018

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

HTH