Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


unable to connect to clientless webvpn portal on asa

Posted on 2016-09-29
Medium Priority
Last Modified: 2016-10-12
Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY

crypto ca enroll SELF-TRUSTPOINT [noconfirm]
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
 enable OUTSIDE
Question by:mk azam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
LVL 37

Expert Comment

ID: 41822987
it would be useful if you could post a suitably sanitised complete config rather than the commands that you ran

Author Comment

by:mk azam
ID: 41823094
Sorry about that but the entire config is over 700 lines with all the IP Addressing etc. I can appreciate its much harder to diagnose with only a partial config but perhaps I'm missing something simple?

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

action: permit
interface: outside
source: our external range of public IP addresses (should this be a single public IP add?)
destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)
service: tcp/https

Do I need to setup NAT?
Regards, mk

Author Comment

by:mk azam
ID: 41823205
When I change the dest add on the ACE to the ASA outside int add, I don't even get any hits on the access rule
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

by:mk azam
ID: 41823235
Don't know if this makes a difference but this is being tested on the 2 free licenses?
I'm assuming it should still work?
Licensed features for this platform:

Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
LVL 37

Expert Comment

ID: 41824000
If you can connect from inside, but not outside, then it is not a licensing issue.

To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port.

There does NOT need to be an ACL on the "WAN" interface to allow traffic to the web interface.

Without a copy of the config, it is difficult to help further. It should only take a couple of minutes to sanitise the config as per the link I provided.

Author Comment

by:mk azam
ID: 41824244
Thank you for your response once again.
I've made some progress & narrowed the problem down to the following issue:
The first output is from the ASA I can't connect to, & the second output is from the ASA I can connect to.
As you can see, it is not listening on SSL port 443.

CiscoASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
DTLS      20d16628  LISTEN     PUBLIC-IP:443                 *

ASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL         005020d8  LISTEN     PUBLIC-IP:443               *
DTLS      0052da58  LISTEN     PUBLIC-IP:443                 *

I think the solution would be to get that listening on ssl port 443 but I was not able to do it.
LVL 37

Expert Comment

ID: 41824552
I would guess that you have missed some part of the webvpn config, but without seeing the config, I would be plucking at imaginary straws.

a sample config is as below, your paths may be different

 enable inside
 enable WAN
 default-idle-timeout 59940
 no anyconnect-essentials
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.1.02026-k9.pkg
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 9
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.14018-k9.pkg 10
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.1.14018-k9.pkg 11
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.1.14018-k9.pkg 12
 anyconnect profiles asa-1.contoso.com disk0:/csm/sa-1.contoso.com.xml
 anyconnect enable
 tunnel-group-list enable

Author Comment

by:mk azam
ID: 41825310
Most of the above config is for the cisco anyconnect client but I am trying to set up a clientless remote access vpn to the ASA. Hence, I'm using a web browser to connect. I will let you know how it goes when I get back to work on Tuesday.
Thank you for your help thus far.

Author Comment

by:mk azam
ID: 41827819
Like I said, I can connect to the web portal from the INSIDE interface but not the OUTSIDE.
Don't know why it's not listening on on port 443 for SSL?
LVL 37

Expert Comment

ID: 41827982
perhaps if you posted a suitably sanitised complete config somebody else might see what the problem is...

Author Comment

by:mk azam
ID: 41837607
Hi Arne, thought I'd share the solution, I was unable to connect to the ASA web portal via clientless vpn as there was a nat rule on the outside interface.
So now I've downloaded & imported the ssh plugin from cisco & when I try to ssh to the server from the portal, it still doesn't work (have confirmed ssh works on the server as I can connect to it via putty from a LAN PC) .
Do I need to configure anything else on the ASA to make this work?
LVL 37

Accepted Solution

ArneLovius earned 2000 total points
ID: 41839337
I did say above "To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port."...

I've not had much luck with either the SSH or RDP plugins for some time, and these days just use AnyConnect...

Author Closing Comment

by:mk azam
ID: 41841074
Thanks to Arne for his help, worked with anyconnect

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question