Solved

unable to connect to clientless webvpn portal on asa

Posted on 2016-09-29
13
54 Views
Last Modified: 2016-10-12
Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr
0
Comment
Question by:mk azam
  • 8
  • 5
13 Comments
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
it would be useful if you could post a suitably sanitised complete config rather than the commands that you ran
0
 

Author Comment

by:mk azam
Comment Utility
Sorry about that but the entire config is over 700 lines with all the IP Addressing etc. I can appreciate its much harder to diagnose with only a partial config but perhaps I'm missing something simple?

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

action: permit
interface: outside
source: our external range of public IP addresses (should this be a single public IP add?)
destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)
service: tcp/https

Do I need to setup NAT?
Regards, mk
0
 

Author Comment

by:mk azam
Comment Utility
When I change the dest add on the ACE to the ASA outside int add, I don't even get any hits on the access rule
0
 

Author Comment

by:mk azam
Comment Utility
Don't know if this makes a difference but this is being tested on the 2 free licenses?
I'm assuming it should still work?
Licensed features for this platform:

Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
If you can connect from inside, but not outside, then it is not a licensing issue.

To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port.

There does NOT need to be an ACL on the "WAN" interface to allow traffic to the web interface.

Without a copy of the config, it is difficult to help further. It should only take a couple of minutes to sanitise the config as per the link I provided.
0
 

Author Comment

by:mk azam
Comment Utility
Thank you for your response once again.
I've made some progress & narrowed the problem down to the following issue:
The first output is from the ASA I can't connect to, & the second output is from the ASA I can connect to.
As you can see, it is not listening on SSL port 443.

CiscoASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
DTLS      20d16628  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

ASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL         005020d8  LISTEN     PUBLIC-IP:443                         0.0.0.0:*
DTLS      0052da58  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

I think the solution would be to get that listening on ssl port 443 but I was not able to do it.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I would guess that you have missed some part of the webvpn config, but without seeing the config, I would be plucking at imaginary straws.

a sample config is as below, your paths may be different

webvpn
 enable inside
 enable WAN
 default-idle-timeout 59940
 no anyconnect-essentials
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.1.02026-k9.pkg
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 9
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.14018-k9.pkg 10
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.1.14018-k9.pkg 11
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.1.14018-k9.pkg 12
 anyconnect profiles asa-1.contoso.com disk0:/csm/sa-1.contoso.com.xml
 anyconnect enable
 tunnel-group-list enable
0
 

Author Comment

by:mk azam
Comment Utility
Most of the above config is for the cisco anyconnect client but I am trying to set up a clientless remote access vpn to the ASA. Hence, I'm using a web browser to connect. I will let you know how it goes when I get back to work on Tuesday.
Thank you for your help thus far.
Regards
0
 

Author Comment

by:mk azam
Comment Utility
Like I said, I can connect to the web portal from the INSIDE interface but not the OUTSIDE.
Don't know why it's not listening on on port 443 for SSL?
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
perhaps if you posted a suitably sanitised complete config somebody else might see what the problem is...
0
 

Author Comment

by:mk azam
Comment Utility
Hi Arne, thought I'd share the solution, I was unable to connect to the ASA web portal via clientless vpn as there was a nat rule on the outside interface.
So now I've downloaded & imported the ssh plugin from cisco & when I try to ssh to the server from the portal, it still doesn't work (have confirmed ssh works on the server as I can connect to it via putty from a LAN PC) .
Do I need to configure anything else on the ASA to make this work?
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
Comment Utility
I did say above "To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port."...

I've not had much luck with either the SSH or RDP plugins for some time, and these days just use AnyConnect...
0
 

Author Closing Comment

by:mk azam
Comment Utility
Thanks to Arne for his help, worked with anyconnect
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now