Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

unable to connect to clientless webvpn portal on asa

Can anyone please help with the following, am I missing something?:

I'm trying to establish a ssl clientless vpn connection to an ASA5515 to access the web portal across the internet.

When I put the IP address in the browser - https://IP-ADD, it tries to connect to the portal but just hangs.

I can see the hits increment on the ACE entry when I try to connect but this was supposed to bypass the ACL as I have the default command

sysopt connection permit-vpn, so not sure whats happening there.

Please see test config below:

hostname ASA1
clock set 13:48:00 28 sept 2016
domain-name test.local
crypto key generate rsa label RSA-KEY modulus 1024

crypto ca trustpoint SELF-TRUSTPOINT
 enrollment self
 fqdn asa1.test.local
 subject-name CN=asa1.test.local
 keypair RSA-KEY


crypto ca enroll SELF-TRUSTPOINT [noconfirm]
ssl trust-point SELF-TRUSTPOINT OUTSIDE
wr
 
group-policy CLIENTLESS-GP internal
group-policy CLIENTLESS-GP attributes
 vpn-tunnel-protocol webvpn

tunnel-group SSL-TUNNEL type remote-access
tunnel-group SSL-TUNNEL general-attributes
 default-group-policy CLIENTLESS-GP
 
dns server-group DefaultDNS     (not used this for now as its not needed to access the logon page)
 domain-name test.org
 name-server LAN-DNS-IP-ADD
 
tunnel-group SSL-TUNNEL webvpn-attributes
 group-url https://asa1.test.local/SSL-TUNNEL enable

username user1 password cisco1
webvpn
 enable OUTSIDE
wr
0
mk azam
Asked:
mk azam
  • 8
  • 5
1 Solution
 
ArneLoviusCommented:
it would be useful if you could post a suitably sanitised complete config rather than the commands that you ran
0
 
mk azamAuthor Commented:
Sorry about that but the entire config is over 700 lines with all the IP Addressing etc. I can appreciate its much harder to diagnose with only a partial config but perhaps I'm missing something simple?

I got the above config from the Cisco ASA all-in-one book btw. Thought I should mention that I can get to the webvpn portal on the inside interface.

This is my first time setting up a clientless SSL vpn on an ASA so might be worth checking the following ACE. The access-list on the Outside interface that increments whenever I try to connect from a browser states:

action: permit
interface: outside
source: our external range of public IP addresses (should this be a single public IP add?)
destination: network range of the LAN on the Inside interface (does this need to be the Outside int add?)
service: tcp/https

Do I need to setup NAT?
Regards, mk
0
 
mk azamAuthor Commented:
When I change the dest add on the ACE to the ASA outside int add, I don't even get any hits on the access rule
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
mk azamAuthor Commented:
Don't know if this makes a difference but this is being tested on the 2 free licenses?
I'm assuming it should still work?
Licensed features for this platform:

Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
0
 
ArneLoviusCommented:
If you can connect from inside, but not outside, then it is not a licensing issue.

To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port.

There does NOT need to be an ACL on the "WAN" interface to allow traffic to the web interface.

Without a copy of the config, it is difficult to help further. It should only take a couple of minutes to sanitise the config as per the link I provided.
0
 
mk azamAuthor Commented:
Thank you for your response once again.
I've made some progress & narrowed the problem down to the following issue:
The first output is from the ASA I can't connect to, & the second output is from the ASA I can connect to.
As you can see, it is not listening on SSL port 443.

CiscoASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
DTLS      20d16628  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

ASA# sh asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL         005020d8  LISTEN     PUBLIC-IP:443                         0.0.0.0:*
DTLS      0052da58  LISTEN     PUBLIC-IP:443                           0.0.0.0:*

I think the solution would be to get that listening on ssl port 443 but I was not able to do it.
0
 
ArneLoviusCommented:
I would guess that you have missed some part of the webvpn config, but without seeing the config, I would be plucking at imaginary straws.

a sample config is as below, your paths may be different

webvpn
 enable inside
 enable WAN
 default-idle-timeout 59940
 no anyconnect-essentials
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.1.02026-k9.pkg
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 9
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.14018-k9.pkg 10
 anyconnect image disk0:/anyconnect/anyconnect-linux-64-3.1.14018-k9.pkg 11
 anyconnect image disk0:/anyconnect/anyconnect-linux-3.1.14018-k9.pkg 12
 anyconnect profiles asa-1.contoso.com disk0:/csm/sa-1.contoso.com.xml
 anyconnect enable
 tunnel-group-list enable
0
 
mk azamAuthor Commented:
Most of the above config is for the cisco anyconnect client but I am trying to set up a clientless remote access vpn to the ASA. Hence, I'm using a web browser to connect. I will let you know how it goes when I get back to work on Tuesday.
Thank you for your help thus far.
Regards
0
 
mk azamAuthor Commented:
Like I said, I can connect to the web portal from the INSIDE interface but not the OUTSIDE.
Don't know why it's not listening on on port 443 for SSL?
0
 
ArneLoviusCommented:
perhaps if you posted a suitably sanitised complete config somebody else might see what the problem is...
0
 
mk azamAuthor Commented:
Hi Arne, thought I'd share the solution, I was unable to connect to the ASA web portal via clientless vpn as there was a nat rule on the outside interface.
So now I've downloaded & imported the ssh plugin from cisco & when I try to ssh to the server from the portal, it still doesn't work (have confirmed ssh works on the server as I can connect to it via putty from a LAN PC) .
Do I need to configure anything else on the ASA to make this work?
0
 
ArneLoviusCommented:
I did say above "To be able to connect to the ASA web interface from the "WAN" side, you must NOT have a NAT on the port."...

I've not had much luck with either the SSH or RDP plugins for some time, and these days just use AnyConnect...
0
 
mk azamAuthor Commented:
Thanks to Arne for his help, worked with anyconnect
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now