Solved

Cisco ASA WebVPN portal on outside not working

Posted on 2013-01-01
7
937 Views
Last Modified: 2014-11-10
Hello experts,

we've recently installed a brand new ASA with fw version 9.1(1).
I've configured the remote ssl vpn portal, which also is working from the inside interfaces.
I'm unable to get it running on the outside interface, as i understood from Cisco it should be as easy as checking the outside int from the ADSM and connecting to the ASAs external IP (which is in a routed subnet with 1 range).
Please assist me in what i'm doing wrong (i guess it has something to do with the NAT setup since IPSEC vpns are also not working).
Hereby my config file, thanks in advance!
Result of the command: "sh run"

: Saved
:
ASA Version 9.1(1) 
!
hostname asa5512x
domain-name customers.site
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd  encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 88.200.202.130 255.255.255.240 
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Switch Routing network
 nameif inside
 security-level 100
 ip address 192.168.247.1 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 nameif DMZ
 security-level 99
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.246.1 255.255.255.0 
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 88.200.203.3
 name-server 88.200.204.3
 domain-name customer.local
object network WAN
 range 88.200.202.131 88.200.202.142
object network Insideout
 subnet 192.168.247.0 255.255.255.0
object network insideout
 subnet 192.168.247.0 255.255.255.0
object network Switch1_ge1_1_4_IP
 host 192.168.247.2
object network Management_Segment
 subnet 192.168.253.0 255.255.255.0
object network Data_Segment
 subnet 192.168.254.0 255.255.255.0
object network NETWORK_OBJ_192.168.247.0_24
 subnet 192.168.247.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
 subnet 192.168.5.0 255.255.255.0
object network man-01.365-connect.lcl
 host 192.168.253.20
 description Management server
object network outside-ip-132
 host 88.200.202.132
object network dc01.365-connect.lcl
 host 192.168.254.10
object network egress.canit.ca
 fqdn v4 egress.canit.ca
object network NETWORK_OBJ_10.252.150.0_24
 subnet 10.252.150.0 255.255.255.0
object network PenThese_LAN
 subnet 192.168.30.0 255.255.255.0
object network ALG_Segment
 subnet 192.168.251.0 255.255.255.0
object network CANSO_Segment
 subnet 192.168.249.0 255.255.255.0
object network MCS_Segment
 subnet 192.168.250.0 255.255.255.0
object network test
 subnet 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object Data_Segment
 network-object object Management_Segment
 network-object object ALG_Segment
 network-object object CANSO_Segment
 network-object object MCS_Segment
object-group network DM_INLINE_NETWORK_2
 network-object 93.154.119.144 255.255.255.248
 network-object host 94.212.88.84
 network-object host 82.95.245.176
 network-object host 81.71.101.247
 network-object host 82.95.212.102
 network-object host 84.29.20.138
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_4 extended permit ip 192.168.247.0 255.255.255.0 object test
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static NETWORK_OBJ_10.252.150.0_24 NETWORK_OBJ_10.252.150.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.247.0_24 NETWORK_OBJ_192.168.247.0_24 destination static test test no-proxy-arp route-lookup
!
object network insideout
 nat (any,outside) static interface
object network man.customer.lcl
 nat (inside,outside) static outside-ip-132 service tcp 3389 3389 
!
nat (any,outside) after-auto source static DM_INLINE_NETWORK_1 interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.200.202.129 1
route inside 192.168.249.0 255.255.255.0 192.168.247.2 1
route inside 192.168.250.0 255.255.255.0 192.168.247.2 1
route inside 192.168.251.0 255.255.255.0 192.168.247.2 1
route inside 192.168.252.0 255.255.255.0 192.168.247.2 1
route inside 192.168.253.0 255.255.255.0 192.168.247.2 1
route inside 192.168.254.0 255.255.255.0 192.168.247.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_4
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 84.29.110.117 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.248.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_84.29.110.117 internal
group-policy GroupPolicy_84.29.110.117 attributes
 vpn-tunnel-protocol ikev1 
tunnel-group 84.29.110.117 type ipsec-l2l
tunnel-group 84.29.110.117 general-attributes
 default-group-policy GroupPolicy_84.29.110.117
tunnel-group 84.29.110.117 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 22
  subscribe-to-alert-group configuration periodic monthly 22
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9f81819c3830626b43d2f121547f0f26
: end

Open in new window

0
Comment
Question by:penthese
7 Comments
 
LVL 22

Expert Comment

by:rickhobbs
ID: 38735504
At the least, you need something like this added:

webvpn
 enable outside


Check this link and example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
0
 
LVL 13

Expert Comment

by:Sandy
ID: 38735783
you need to update these

http server enable
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http 0 0 outside
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 38736437
Actually,
webvpn
enable outside
http 0 0 outside

should do it.  The others already exist.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38736560
just to add to to the http config, I usually enable external access for the management interface only for the redirect, not for access, so that external users just have to type the hostname, but stopping any atempt to access the management interface from outside. I also run the management interface on a different port and set a timeout of ten minutes (600 seconds)

webvpn
  enable outside

Open in new window


http server enable 8443
http server idle-timeout 600
http 127.0.0.1 255.255.255.255 outside
http redirect outside 80

Open in new window

0
 

Accepted Solution

by:
penthese earned 0 total points
ID: 38738470
Hello, thanks for your answers.
Too bad nothing worked, i just logged on to the tty console which had a message on it regarding 2 nat rules.
i've removed
object network insideout
 nat (any,outside) static interface

and
nat (any,outside) after-auto source static DM_INLINE_NETWORK_1 interface

everything is working now.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now