Announcement

Collapse
No announcement yet.

Can't Access ASA Public IP Address - AnyConnect

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't Access ASA Public IP Address - AnyConnect

    I'm having issues replacing a 5505 with a 5506 with AnyConnect configured. The firewall is only used for the anyconnect connections so it's a really basic configuration. The firewall outside port is connected to a separate internet line from our ISP but I can't access the SSL page from any external location. Internally I can tracert and see the traffic leave my firewall then reach my ISP and re-enter the new 5505 AnyConnect firewall. But from a public location it never seems to reach. I think I might be missing something incredibly easy. I'm pretty new with the ASA but have set up a few other AnyConnect VPN connections on other firewalls and never had issues.

    When I try to access the SSL Login page from a public location I see the "Built Inbound TCP Connection" Then Teardown TCP Connection SYN Timeout.

    : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1249 MHz, 1 CPU (4 cores)
    : Written by tech at 09:50:47.949 EST Fri Mar 2 2018
    !
    ASA Version 9.8(1)
    !
    hostname Townsend
    domain-name
    enable password
    names
    ip local pool VPN_Pool 192.168.50.1-192.168.50.10 mask 255.255.255.0

    !
    interface GigabitEthernet1/1
    nameif outside
    security-level 0
    ip address REDACTED 255.255.255.0
    !
    interface GigabitEthernet1/2
    nameif inside
    security-level 100
    ip address 192.168.3.171 255.255.255.0
    !
    interface GigabitEthernet1/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/6
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/7
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/8
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management1/1
    management-only
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EST recurring
    dns server-group DefaultDNS
    domain-name
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_192.168.50.0_28
    subnet 192.168.50.0 255.255.255.240
    object network NETWORK_OBJ_192.168.3.0_24
    subnet 192.168.3.0 255.255.255.0
    access-list OUTSIDE extended permit icmp any4 any4 echo
    access-list OUTSIDE extended permit icmp any4 any4 traceroute
    access-list OUTSIDE extended permit icmp any4 any4 source-quench
    access-list OUTSIDE extended permit icmp any4 any4 unreachable
    access-list OUTSIDE extended permit icmp any4 any4 time-exceeded
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 512000
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    arp rate-limit 16384
    nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.50.0_28 NETWORK_OBJ_192.168.50.0_28 no-proxy-arp route-lookup
    !
    object network obj_any
    nat (any,outside) dynamic interface
    !
    nat (inside,outside) after-auto source dynamic any interface
    access-group OUTSIDE in interface outside
    route outside 0.0.0.0 0.0
    route inside 192.168.4.0 255.255.252.0 192.168.3.253 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    timeout conn-holddown 0:00:15
    timeout igp stale-route 0:01:10
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication login-history
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=Townsend
    ip-address REDACTED
    keypair CC-VPN
    crl configure
    crypto ca trustpool policy
    crypto ca certificate chain ASDM_TrustPoint0
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh 192.168.4.0 255.255.252.0 inside
    ssh 192.168.3.0 255.255.255.0 inside
    ssh timeout 30
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    !
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    ssl trust-point ASDM_TrustPoint0 inside
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    cache
    disable
    error-recovery disable
    group-policy GroupPolicy_VPN internal
    group-policy GroupPolicy_VPN attributes
    wins-server none
    dns-server value 192.168.3.3
    vpn-tunnel-protocol ssl-client
    default-domain value
    dynamic-access-policy-record DfltAccessPolicy
    username tech password
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool VPN_Pool
    default-group-policy GroupPolicy_VPN
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    no tcp-inspection
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum
    Last edited by Caponewgp; 4th March 2018, 04:16.

  • #2
    Did you get this solved? If not, I would try changing:
    vpn-tunnel-protocol ssl-client
    to
    vpn-tunnel-protocol ssl-client ssl-clientless

    Comment

    Working...
    X