No announcement yet.

Can't Access ASA Public IP Address - AnyConnect

  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't Access ASA Public IP Address - AnyConnect

    I'm having issues replacing a 5505 with a 5506 with AnyConnect configured. The firewall is only used for the anyconnect connections so it's a really basic configuration. The firewall outside port is connected to a separate internet line from our ISP but I can't access the SSL page from any external location. Internally I can tracert and see the traffic leave my firewall then reach my ISP and re-enter the new 5505 AnyConnect firewall. But from a public location it never seems to reach. I think I might be missing something incredibly easy. I'm pretty new with the ASA but have set up a few other AnyConnect VPN connections on other firewalls and never had issues.

    When I try to access the SSL Login page from a public location I see the "Built Inbound TCP Connection" Then Teardown TCP Connection SYN Timeout.

    : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1249 MHz, 1 CPU (4 cores)
    : Written by tech at 09:50:47.949 EST Fri Mar 2 2018
    ASA Version 9.8(1)
    hostname Townsend
    enable password
    ip local pool VPN_Pool mask

    interface GigabitEthernet1/1
    nameif outside
    security-level 0
    ip address REDACTED
    interface GigabitEthernet1/2
    nameif inside
    security-level 100
    ip address
    interface GigabitEthernet1/3
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/4
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/5
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/6
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/7
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/8
    no nameif
    no security-level
    no ip address
    interface Management1/1
    no nameif
    no security-level
    no ip address
    ftp mode passive
    clock timezone EST -5
    clock summer-time EST recurring
    dns server-group DefaultDNS
    object network obj_any
    object network NETWORK_OBJ_192.168.50.0_28
    object network NETWORK_OBJ_192.168.3.0_24
    access-list OUTSIDE extended permit icmp any4 any4 echo
    access-list OUTSIDE extended permit icmp any4 any4 traceroute
    access-list OUTSIDE extended permit icmp any4 any4 source-quench
    access-list OUTSIDE extended permit icmp any4 any4 unreachable
    access-list OUTSIDE extended permit icmp any4 any4 time-exceeded
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 512000
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    arp rate-limit 16384
    nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.50.0_28 NETWORK_OBJ_192.168.50.0_28 no-proxy-arp route-lookup
    object network obj_any
    nat (any,outside) dynamic interface
    nat (inside,outside) after-auto source dynamic any interface
    access-group OUTSIDE in interface outside
    route outside 0.0
    route inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    timeout conn-holddown 0:00:15
    timeout igp stale-route 0:01:10
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication login-history
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=Townsend
    ip-address REDACTED
    keypair CC-VPN
    crl configure
    crypto ca trustpool policy
    crypto ca certificate chain ASDM_TrustPoint0
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh inside
    ssh inside
    ssh timeout 30
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    ssl trust-point ASDM_TrustPoint0 inside
    enable outside
    anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    error-recovery disable
    group-policy GroupPolicy_VPN internal
    group-policy GroupPolicy_VPN attributes
    wins-server none
    dns-server value
    vpn-tunnel-protocol ssl-client
    default-domain value
    dynamic-access-policy-record DfltAccessPolicy
    username tech password
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool VPN_Pool
    default-group-policy GroupPolicy_VPN
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum client auto
    message-length maximum 512
    no tcp-inspection
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Last edited by Caponewgp; 4th March 2018, 04:16.