cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
1
Replies

Cannot connect to clientless vpn through ASA 5505

sbenas101
Level 1
Level 1

Just started a job where they wanted us to re-purpose a local network that wasn't in use and to create a webvpn portal to allow web access to it.  We've tried everything and looked every where and cannot seem to figure out what we are doing wrong.

So here is what is happening, if I try to navigate to the webvpn page on my local machine nothing happens, the request times out.  Looking at wireshark and looking at the ASA's packet capture, I see the https SYN packet coming through, and it is not blocked, but nothing happens and then at 30 seconds the request times out.  I don't see any SYN-ACK anywhere. 

If I configure the ASA to allow my remote computer address to have HTTP access to the ASA itself and I go to the address then it shows the page to download the ASDM software, but not the webvpn portal.  So it doesn't seem to be any kind of routing issue.

If I am on one of the machines connected to the internal network, and in a web browser I type the address of the internal network gateway, then it takes me to the vpn portal.  We tried adding a NAT rule to redirect outside traffic to the internal network gateway, and the NAT rule seems to be working, but we have the same problem of the request just timing out. 

Here is the output of of "show run", with some added comments marked by a pound sign. 

#  Used addresses:
#    <outside interface> - IP address of ASA's outside interface
#    <internal network>  - The network for the internal vlan, also named CILInternal
#    <internal gateway>  - The gateway addresses for machines on the internal vlan
#    <various address>   - Any address that is still part of the configuration that I don't
#                  believe is in use or does not seem relevant to this issue
#    <remote address>    - The address of my remote computer I want to connect to the SSL WebVPN

# Anything labeled VM is a legacy network that is not currently connected


cilasa# sh run
: Saved
:
ASA Version 9.1(5)
!
hostname cilasa
domain-name CIL.local
enable password <asa password>
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <passwd> encrypted
names
name <various address> CILInternal
name <various address> DMZ_WebServer
name <various address> Outside
name <various address> Management
name <various address> PPTPUser description PPTPUser1-55 (User's VPN)
name <various address> SSTPPool
name <various address> A2008R2_51
name <various address> SSTPAdmPool description Admin SSTP IP Pool
name <various address> SSTP1 description SSTP1-3 (VPN)
name <various address> SSTPAdmInt description Internal Interface for Admin SSTP
name <various address> User51 description User51 VM access to the Internet
name <various address> User52 description User52 VM access to the Internet
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
 shutdown
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 switchport access vlan 12
 shutdown
!
interface Ethernet0/5
 switchport access vlan 22
 switchport trunk allowed vlan 22,51-56
 switchport trunk native vlan 51
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 management-only
 nameif inside
 security-level 100
 ip address <default address> 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <outside network> 255.255.255.240
!
interface Vlan12
 nameif CILInternal
 security-level 10
 ip address <internal gateway> 255.255.255.0
!
interface Vlan22   #Legacy vlan
 nameif VM
 security-level 10
 ip address <various address> 255.255.248.0
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup CILInternal
dns server-group DefaultDNS
 name-server <various address>
 name-server 75.75.76.76
 name-server 8.8.8.8
 name-server 4.2.2.2
 domain-name CIL.local
same-security-traffic permit intra-interface
object network User51  #Legacy I think
 subnet <various address> 255.255.255.248
 description Created during name migration
object network User52 #Legacy I think
 subnet <various address> 255.255.255.248
 description Created during name migration
object network SSTPAdmPool #Legacy I think
 subnet <various address> 255.255.255.0
object network SSTP1 #legacy I think
 host <various address>
object network CILInternal
 subnet <internal network> 255.255.255.0
object network PPTPUser #legacy
 host <various address>
object network SSTPPool #legacy
 subnet <various address> 255.255.255.0
object network VM #legacy
 subnet <various address> 255.255.248.0
 description VM Machines
object network NAVWEB-DMZ #legacy
 host <various address>
 description Time and Expense Web Portal
object network internal_gateway
 host <internal gateway>
 description Gateway for the internal network
object network ssl_vpn
 host <internal gateway>
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq <some port>
object-group service AdminPPTP tcp
 port-object eq <some other port>
object-group network UserAccess
 description User VM access to the Internet
 network-object object User51
 network-object object User52
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp
 service-object tcp destination eq https
 service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp
 service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_4
 service-object ip
 service-object tcp
 service-object tcp destination eq https

#--------------------------------------
#       Access List Config
#--------------------------------------

# Note:  Rules like "any any ip permit" are just temporary
# for diagnostics, this network is not currently
# operational



access-list acl-out extended permit tcp any4 object PPTPUser eq pptp
access-list acl-out extended permit tcp any4 interface outside eq https
access-list acl-out extended permit tcp any interface outside eq https
access-list acl-out extended permit tcp interface outside interface outside eq https
access-list acl-out extended permit ip any interface outside
access-list acl-out extended permit object-group TCPUDP interface outside interface inside eq www
access-list acl-out extended permit tcp interface outside interface inside eq ssh
access-list acl-out extended permit ip any any
access-list acl-out extended permit tcp interface outside interface outside eq www
access-list acl-out extended permit tcp any4 interface outside
access-list acl-out extended permit tcp any interface outside eq ssh
access-list acl-out extended permit tcp any any eq ssh
access-list test_acl extended permit ip any4 any4
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_1 object CILInternal any
access-list outside_access_out extended permit udp object CILInternal any eq domain
access-list outside_access_out extended permit icmp object CILInternal any
access-list outside_access_out extended permit tcp any interface outside eq https
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_2 host <remote address> any
access-list ACL_IN extended permit ip any4 any4
access-list ACL_IN extended permit object-group DM_INLINE_SERVICE_1 any interface outside


#--------------------------------------
#       End Access List Config
#--------------------------------------



pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CILInternal 1500
mtu VM 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (outside,outside) source static any any destination static interface ssl_vpn net-to-net
nat (outside,outside) source static any any destination static interface internal_gateway net-to-net no-proxy-arp
nat (CILInternal,outside) source static any interface no-proxy-arp
nat (outside,CILInternal) source static any any destination static internal_gateway internal_gateway
!
object network CILInternal
 nat (CILInternal,outside) dynamic interface
object network SSTPPool
 nat (VM,VM) static SSTPPool no-proxy-arp route-lookup service tcp 3389 3389
object network VM
 nat (VM,outside) dynamic interface
access-group outside_access_out out interface outside
!
router rip
 passive-interface default
 version 2
!
route outside 0.0.0.0 0.0.0.0 173.166.135.206 1
route VM SSTPPool 255.255.255.0 PPTPUser 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http Management 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 0
service resetinbound interface outside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1

#------------------------------
#        WebVPN Config
#------------------------------
webvpn
 enable outside
 enable CILInternal
 tunnel-group-list enable
 internal-password enable
group-policy sslvpngp1 internal
group-policy sslvpngp1 attributes
 vpn-tunnel-protocol l2tp-ipsec
 webvpn
  url-list value webaccess
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
 webvpn
  url-list value Test_bookmark_list
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ssl-clientless
username test_user password <password> encrypted privilege 0
username test_user attributes
 vpn-group-policy DfltGrpPolicy
username spu password <password> encrypted privilege 0
username spu attributes
 vpn-group-policy sslvpngp1
username <username> password <password>. encrypted
username <username> attributes
 group-lock value VDTG_test
tunnel-group VDTG_test type remote-access
tunnel-group VDTG_test general-attributes
 default-group-policy GroupPolicy1
tunnel-group VDTG_test webvpn-attributes
 group-alias Interns enable
 group-url https://<machine on local network> enable
!

#-----------------------------
#       End VPN Stuff
#-----------------------------


class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect icmp
policy-map CONNS
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:020ed7a25844649339d817e33242d316
: end

1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

You really need to test this from a location external to your company, so the traffic is coming in the "outside" of the ASA.  Several things wont work if you try and do this from "inside" of the ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: