03-11-2009 06:44 PM - edited 02-21-2020 04:10 PM
ASA5510 8.0(4)
I'm trying to setup AnyConnect on another ASA. I can't see the forest for the trees this time.
I keep getting a log msg about TCP/443 packet dropped by ACL on outside interface. I don't have an ACL denying 443 on the outside. I've done this before, but I cannot see my error. Any suggestions come to mind?
I even went so far as to follow Cisco's tech tip in Doc. #99757 just to be sure.
Classical non-SSL VPN client connectivty works fine.
Thx - Phil
03-12-2009 08:34 PM
Have you enabled webvpn on the outside interface?
03-13-2009 05:45 AM
Ivan - yes it is.
ASA5510# sho run webvpn
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable
ASA5510#
Here are the peritinent config details (public IPs changed to protect the protected):
Note that there is also code for traditional non-SSL client and site-to-site VPN - all that works fine.
I have other ASAs with WebVPN enabled that work fine, I cannot see why this one is different/does not work. Probably a typo I cannot see.
!
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5510 Security Plus license.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 25.25.25.250 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.31.254.2 255.255.255.252
!
access-list ACL_OUT extended permit tcp 24.25.44.0 255.255.252.0 host 25.25.25.251 eq https
access-list ACL_OUT extended permit icmp any interface outside echo-reply
access-list ACL_OUT extended permit icmp any interface outside unreachable
access-list ACL_OUT extended permit icmp any interface outside time-exceeded
access-list NoNAT extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252
access-list SSLSplitAllowACL extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool SSLSplitAllowPool 172.31.253.1-172.31.253.2 mask 255.255.255.252
ip verify reverse-path interface outside
ip verify reverse-path interface inside
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 172.20.1.0 255.255.255.0
static (inside,outside) 25.25.25.251 172.20.1.9 netmask 255.255.255.255
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 25.25.25.249 1
route inside 172.20.1.0 255.255.255.0 172.31.254.1 1
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA5510.local.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a6d4e86
0500304c 3121301f 06035504 03131843 44482d35 3531302e 57333637 30646f6d
98c13a65 d128ac77 d3eb55c1 ecc85d99 faf314
quit
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.20.1.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLSplitAllowACL
default-domain value local.com
address-pools value SSLSplitAllowPool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username vpntest password
username vpntest attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
03-13-2009 02:33 PM
Ivan - I got the OK to reload the 5510 - that fixed all the problems. I guess 8.0(4) still has some bugs.
The fact that the reload fixed this also restored my faith in me and my craft. :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide