Solved

unable to connect to clientless webvpn portal on asa

Posted on 2016-09-29
13
153 Views
Last Modified: 2016-10-12
Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr
0
Comment
Question by:mk azam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41822987
it would be useful if you could post a suitably sanitised complete config rather than the commands that you ran
0
 

Author Comment

by:mk azam
ID: 41823094
Sorry about that but the entire config is over 700 lines with all the IP Addressing etc. I can appreciate its much harder to diagnose with only a partial config but perhaps I'm missing something simple?

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

action: permit
interface: outside
source: our external range of public IP addresses (should this be a single public IP add?)
destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)
service: tcp/https

Do I need to setup NAT?
Regards, mk
0
 

Author Comment

by:mk azam
ID: 41823205
When I change the dest add on the ACE to the ASA outside int add, I don't even get any hits on the access rule
0
Ransomware - Can it be prevented?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 

Author Comment

by:mk azam
ID: 41823235
Don't know if this makes a difference but this is being tested on the 2 free licenses?
I'm assuming it should still work?
Licensed features for this platform:

Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41824000
If you can connect from inside, but not outside, then it is not a licensing issue.

To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port.

There does NOT need to be an ACL on the "WAN" interface to allow traffic to the web interface.

Without a copy of the config, it is difficult to help further. It should only take a couple of minutes to sanitise the config as per the link I provided.
0
 

Author Comment

by:mk azam
ID: 41824244
Thank you for your response once again.
I've made some progress & narrowed the problem down to the following issue:
The first output is from the ASA I can't connect to, & the second output is from the ASA I can connect to.
As you can see, it is not listening on SSL port 443.

CiscoASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
DTLS      20d16628  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

ASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL         005020d8  LISTEN     PUBLIC-IP:443                         0.0.0.0:*
DTLS      0052da58  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

I think the solution would be to get that listening on ssl port 443 but I was not able to do it.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41824552
I would guess that you have missed some part of the webvpn config, but without seeing the config, I would be plucking at imaginary straws.

a sample config is as below, your paths may be different

webvpn
 enable inside
 enable WAN
 default-idle-timeout 59940
 no anyconnect-essentials
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.1.02026-k9.pkg
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 9
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.14018-k9.pkg 10
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.1.14018-k9.pkg 11
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.1.14018-k9.pkg 12
 anyconnect profiles asa-1.contoso.com disk0:/csm/sa-1.contoso.com.xml
 anyconnect enable
 tunnel-group-list enable
0
 

Author Comment

by:mk azam
ID: 41825310
Most of the above config is for the cisco anyconnect client but I am trying to set up a clientless remote access vpn to the ASA. Hence, I'm using a web browser to connect. I will let you know how it goes when I get back to work on Tuesday.
Thank you for your help thus far.
Regards
0
 

Author Comment

by:mk azam
ID: 41827819
Like I said, I can connect to the web portal from the INSIDE interface but not the OUTSIDE.
Don't know why it's not listening on on port 443 for SSL?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41827982
perhaps if you posted a suitably sanitised complete config somebody else might see what the problem is...
0
 

Author Comment

by:mk azam
ID: 41837607
Hi Arne, thought I'd share the solution, I was unable to connect to the ASA web portal via clientless vpn as there was a nat rule on the outside interface.
So now I've downloaded & imported the ssh plugin from cisco & when I try to ssh to the server from the portal, it still doesn't work (have confirmed ssh works on the server as I can connect to it via putty from a LAN PC) .
Do I need to configure anything else on the ASA to make this work?
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 41839337
I did say above "To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port."...

I've not had much luck with either the SSH or RDP plugins for some time, and these days just use AnyConnect...
0
 

Author Closing Comment

by:mk azam
ID: 41841074
Thanks to Arne for his help, worked with anyconnect
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
logon script 9 90
Cisco router 4400 and switch connection. 27 77
Sonicwall VPN and DHCP Setup 10 90
HP Storage and Cisco Nexus 4 64
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question