Cisco ASA WebVPN portal on outside not working
Hello experts,
we've recently installed a brand new ASA with fw version 9.1(1).
I've configured the remote ssl vpn portal, which also is working from the inside interfaces.
I'm unable to get it running on the outside interface, as i understood from Cisco it should be as easy as checking the outside int from the ADSM and connecting to the ASAs external IP (which is in a routed subnet with 1 range).
Please assist me in what i'm doing wrong (i guess it has something to do with the NAT setup since IPSEC vpns are also not working).
Hereby my config file, thanks in advance!
we've recently installed a brand new ASA with fw version 9.1(1).
I've configured the remote ssl vpn portal, which also is working from the inside interfaces.
I'm unable to get it running on the outside interface, as i understood from Cisco it should be as easy as checking the outside int from the ADSM and connecting to the ASAs external IP (which is in a routed subnet with 1 range).
Please assist me in what i'm doing wrong (i guess it has something to do with the NAT setup since IPSEC vpns are also not working).
Hereby my config file, thanks in advance!
Result of the command: "sh run"
: Saved
:
ASA Version 9.1(1)
!
hostname asa5512x
domain-name customers.site
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 88.200.202.130 255.255.255.240
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Switch Routing network
nameif inside
security-level 100
ip address 192.168.247.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
nameif DMZ
security-level 99
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.246.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 88.200.203.3
name-server 88.200.204.3
domain-name customer.local
object network WAN
range 88.200.202.131 88.200.202.142
object network Insideout
subnet 192.168.247.0 255.255.255.0
object network insideout
subnet 192.168.247.0 255.255.255.0
object network Switch1_ge1_1_4_IP
host 192.168.247.2
object network Management_Segment
subnet 192.168.253.0 255.255.255.0
object network Data_Segment
subnet 192.168.254.0 255.255.255.0
object network NETWORK_OBJ_192.168.247.0_24
subnet 192.168.247.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network man-01.365-connect.lcl
host 192.168.253.20
description Management server
object network outside-ip-132
host 88.200.202.132
object network dc01.365-connect.lcl
host 192.168.254.10
object network egress.canit.ca
fqdn v4 egress.canit.ca
object network NETWORK_OBJ_10.252.150.0_24
subnet 10.252.150.0 255.255.255.0
object network PenThese_LAN
subnet 192.168.30.0 255.255.255.0
object network ALG_Segment
subnet 192.168.251.0 255.255.255.0
object network CANSO_Segment
subnet 192.168.249.0 255.255.255.0
object network MCS_Segment
subnet 192.168.250.0 255.255.255.0
object network test
subnet 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object Data_Segment
network-object object Management_Segment
network-object object ALG_Segment
network-object object CANSO_Segment
network-object object MCS_Segment
object-group network DM_INLINE_NETWORK_2
network-object 93.154.119.144 255.255.255.248
network-object host 94.212.88.84
network-object host 82.95.245.176
network-object host 81.71.101.247
network-object host 82.95.212.102
network-object host 84.29.20.138
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_4 extended permit ip 192.168.247.0 255.255.255.0 object test
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static NETWORK_OBJ_10.252.150.0_24 NETWORK_OBJ_10.252.150.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static test test no-proxy-arp route-lookup
!
object network insideout
nat (any,outside) static interface
object network man.customer.lcl
nat (inside,outside) static outside-ip-132 service tcp 3389 3389
!
nat (any,outside) after-auto source static DM_INLINE_NETWORK_1 interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.200.202.129 1
route inside 192.168.249.0 255.255.255.0 192.168.247.2 1
route inside 192.168.250.0 255.255.255.0 192.168.247.2 1
route inside 192.168.251.0 255.255.255.0 192.168.247.2 1
route inside 192.168.252.0 255.255.255.0 192.168.247.2 1
route inside 192.168.253.0 255.255.255.0 192.168.247.2 1
route inside 192.168.254.0 255.255.255.0 192.168.247.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_4
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 84.29.110.117
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.248.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_84.29.110.117 internal
group-policy GroupPolicy_84.29.110.117 attributes
vpn-tunnel-protocol ikev1
tunnel-group 84.29.110.117 type ipsec-l2l
tunnel-group 84.29.110.117 general-attributes
default-group-policy GroupPolicy_84.29.110.117
tunnel-group 84.29.110.117 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 22
subscribe-to-alert-group configuration periodic monthly 22
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9f81819c3830626b43d2f121547f0f26
: end
you need to update these
http server enable
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http 0 0 outside
http server enable
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http 0 0 outside
Actually,
webvpn
enable outside
http 0 0 outside
should do it. The others already exist.
webvpn
enable outside
http 0 0 outside
should do it. The others already exist.
just to add to to the http config, I usually enable external access for the management interface only for the redirect, not for access, so that external users just have to type the hostname, but stopping any atempt to access the management interface from outside. I also run the management interface on a different port and set a timeout of ten minutes (600 seconds)
webvpn
enable outsidehttp server enable 8443
http server idle-timeout 600
http 127.0.0.1 255.255.255.255 outside
http redirect outside 80ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
webvpn
enable outside
Check this link and example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml