unable to connect to clientless webvpn portal on asa

Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr
mk azamAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ArneLoviusConnect With a Mentor Commented:
I did say above "To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port."...

I've not had much luck with either the SSH or RDP plugins for some time, and these days just use AnyConnect...
0
 
ArneLoviusCommented:
it would be useful if you could post a suitably sanitised complete config rather than the commands that you ran
0
 
mk azamAuthor Commented:
Sorry about that but the entire config is over 700 lines with all the IP Addressing etc. I can appreciate its much harder to diagnose with only a partial config but perhaps I'm missing something simple?

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

action: permit
interface: outside
source: our external range of public IP addresses (should this be a single public IP add?)
destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)
service: tcp/https

Do I need to setup NAT?
Regards, mk
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
mk azamAuthor Commented:
When I change the dest add on the ACE to the ASA outside int add, I don't even get any hits on the access rule
0
 
mk azamAuthor Commented:
Don't know if this makes a difference but this is being tested on the 2 free licenses?
I'm assuming it should still work?
Licensed features for this platform:

Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
0
 
ArneLoviusCommented:
If you can connect from inside, but not outside, then it is not a licensing issue.

To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port.

There does NOT need to be an ACL on the "WAN" interface to allow traffic to the web interface.

Without a copy of the config, it is difficult to help further. It should only take a couple of minutes to sanitise the config as per the link I provided.
0
 
mk azamAuthor Commented:
Thank you for your response once again.
I've made some progress & narrowed the problem down to the following issue:
The first output is from the ASA I can't connect to, & the second output is from the ASA I can connect to.
As you can see, it is not listening on SSL port 443.

CiscoASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
DTLS      20d16628  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

ASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL         005020d8  LISTEN     PUBLIC-IP:443                         0.0.0.0:*
DTLS      0052da58  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

I think the solution would be to get that listening on ssl port 443 but I was not able to do it.
0
 
ArneLoviusCommented:
I would guess that you have missed some part of the webvpn config, but without seeing the config, I would be plucking at imaginary straws.

a sample config is as below, your paths may be different

webvpn
 enable inside
 enable WAN
 default-idle-timeout 59940
 no anyconnect-essentials
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.1.02026-k9.pkg
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 9
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.14018-k9.pkg 10
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.1.14018-k9.pkg 11
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.1.14018-k9.pkg 12
 anyconnect profiles asa-1.contoso.com disk0:/csm/sa-1.contoso.com.xml
 anyconnect enable
 tunnel-group-list enable
0
 
mk azamAuthor Commented:
Most of the above config is for the cisco anyconnect client but I am trying to set up a clientless remote access vpn to the ASA. Hence, I'm using a web browser to connect. I will let you know how it goes when I get back to work on Tuesday.
Thank you for your help thus far.
Regards
0
 
mk azamAuthor Commented:
Like I said, I can connect to the web portal from the INSIDE interface but not the OUTSIDE.
Don't know why it's not listening on on port 443 for SSL?
0
 
ArneLoviusCommented:
perhaps if you posted a suitably sanitised complete config somebody else might see what the problem is...
0
 
mk azamAuthor Commented:
Hi Arne, thought I'd share the solution, I was unable to connect to the ASA web portal via clientless vpn as there was a nat rule on the outside interface.
So now I've downloaded & imported the ssh plugin from cisco & when I try to ssh to the server from the portal, it still doesn't work (have confirmed ssh works on the server as I can connect to it via putty from a LAN PC) .
Do I need to configure anything else on the ASA to make this work?
0
 
mk azamAuthor Commented:
Thanks to Arne for his help, worked with anyconnect
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.