cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8490
Views
10
Helpful
18
Replies

VPN stopped working after ISP change

jsf
Level 1
Level 1

Hello,

I will preface my question with the following information, I am quite new the Cisco world and still use the ASDM for most of configuration changes with some command line experience.

 

ASA-5508-X / v9.7(1)4

 

I’ve been running this ASA on a secondary network for a week and it has been running flawlessly.  I successfully configured the remote client VPN using AnyConnect and the Clientless SSL VPN and it worked on the lab bench when connecting from an outside network.

After switching the ASA to new outside connection (new ISP), the VPN stopped working.  Right now, I’m focusing on the clientless SSL VPN.  Port 443 is open and listening, but the ASA fails to respond to connection requests.

 

Where should I be looking to troubleshoot this problem?

 

Thank you.

1 Accepted Solution

Accepted Solutions

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

 

HTH

View solution in original post

18 Replies 18

Hi,
Can you access the internet from behind the ASA? Can you ping something (8.8.8.8) from the ASA itself?

When you changed the ASA to the new isp connection, did you change the ip address of the outside interface? Did you modify the default route to point to the correct next hop?

Perhaps you could upload you configuration for review?

HTH

Hi RJI,

 

I current have 20 users testing it and everyone has access to internet, and no problems pinging that address.

 

The new ISP assigns "static" IP's dynamically, so my change was to switch the outside interface to use DHCP.  I did not modify anything past that.

 

I'll edit this post shortly with the config.

Ok, do you have an FQDN and does that resolve the new IP address? Or does the users just connect to the public IP address?

Just using the public IP.

 

Config:


Result of the command: "show running-config" : Saved : : Serial Number: <serialnumber> : Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores) : ASA Version 9.7(1)4 ! hostname <hostname> domain-name <domainname> enable password <enablepassword> names ! interface GigabitEthernet1/1 description Main outside interface nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 172.16.2.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name <domainname> object network obj_any subnet 0.0.0.0 0.0.0.0 object service SMB30 service tcp source eq 445 destination eq 445 description SMB30 object-group service Microsoft tcp description Microsoft Specific Services port-object eq 445 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any nat (any,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL http server enable http 172.16.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_TrustPoint_SelfSigned enrollment self fqdn vpn.##.## subject-name CN=vpn.##.## keypair <keypair> crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint_SelfSigned certificate ... quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd dns 8.8.8.8 8.8.4.4 dhcpd domain <dhcpdomain> ! dhcpd address 172.16.2.100-172.16.2.254 inside dhcpd auto_config outside interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ssl trust-point ASDM_TrustPoint_SelfSigned outside webvpn enable outside cache disable error-recovery disable group-policy DfltGrpPolicy attributes webvpn url-list value <localservername> dynamic-access-policy-record DfltAccessPolicy username <username> tunnel-group <tunnel-group> type remote-access ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:303b8abb64fc5ecb67e8695e57a66614 : end

 

Have you removed some config for the group-policy and tunnel-group? Do you have defined the vpn-tunnel-protocol to use e.g ssl-clientless? I don't see it in the output

 

 

If you don't see it, then I'm guessing not.  I use thed included ADSM VPN "Wizard" to configure the VPNs.

 

Would the Wizard failed to create those entries?  Regardless, what would you recommend as a next step?

 

Thank you

If you check the Default Group Policy under the General section (from memory) ensure the Clientless SSL tunnel protocol is selected.

Yes, Clientless SSL VPN is selected, along with IPSec IKEv1 and 2 and L2TP.

 

Ok, does the tunnel-group actually reference that GP? Are there any other GP's?

Aside from the ASA configuration, assuming only the outside ip address has changed, is it likely the ISP has an ACL and filtering traffic? Do you see anything in the ASDM logs indicating an inbound connection attempt?

Only a single GP, and yes it is referenced.

 

I've got a ticket in with the ISP to see if they are indeed blocking port 443, or if there is another layer in front of the ASA listening on port 443.

 

Thanks for your help btw.

So no port blocking from the ISP, but the support technician didn't seem all that sure.

 

That being said, would setting up a simple port forward for one of local webservers be a good test to see if the ISP is blocking traffic?

 

If so, can you recommend a good guide on how to port forward 80 to specific machine on our network? 

 

Thank you,

Here is an example of a static nat. You reference the private ip address in the ACL rule

 

object network SRV1
 host 192.168.10.5
 nat (i,o) static 1.1.1.10
access-list OUTSIDE->IN permit tcp any host 192.168.10.5 eq 80

 

Run a packet capture on the ASA and make sure you can actually see the traffic inbound.

 

HTH

Hi RJI,

 

I managed to get port forwarding working with one of our local web servers and can access it from the outside world.  The command-line interface is definitely superior.  Still having VPN issues, but at least I know that the ISP is not port blocking.

 

I will find a guide to walk me a through VPN setup via CLI.  Do you have one you can recommend?

 

Thanks for all your help.

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

 

HTH