Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Bridged Modem and ASA with Public IP

 

Hi Everyone,

I am using two public IP for my home network via Bridged Modem

Setup

Router Switch Modem

ASA Switch Modem

Both Router and ASA have public IPs and are on separate network.

Outside interface of ASA has no ACL to permit any traffic on port 443.

 

When i connect from Network behind Router via https//ASA public IP anyconnect works fine

Need to know how connection on port 443 of outside interface of ASA is working without permit ACL?

 

 

Regards

 

Mahesh

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

From what I understand, ACL

From what I understand, ACL on ASA outside interface is normally used to allow traffic going through the ASA, from lower to higher security level not to the ASA itself. If you try to access port 443 on a device behind the ASA, I believe it will be denied if you don't have the ACL configured.

The reason that you can connect to ASA on port 443 probably is because you have http and http server enable commands configured on the ASA. 

That's partially correct. You

That's not correct. You do need to open the port for 443 and 500 on the ASA, otherwise AC or VPN Client will not be able to establish a connection to the ASA. But you are not opening them using ACL.

By configuring crypto ikev1 enable command, you enable port 500 on ASA as IKE is using port 500 to communicate. The same as AC, you use the webvpn command. The different is that you can also enable port 443 using http server enable command on the ASA. 

Please rate helpful comments/answers.

9 REPLIES

From what I understand, ACL

From what I understand, ACL on ASA outside interface is normally used to allow traffic going through the ASA, from lower to higher security level not to the ASA itself. If you try to access port 443 on a device behind the ASA, I believe it will be denied if you don't have the ACL configured.

The reason that you can connect to ASA on port 443 probably is because you have http and http server enable commands configured on the ASA. 

New Member

 Hi Rudy, Yes i have http

 

Hi Rudy,

 

Yes i have http server configured so that i can access ir from outside.

Also when i use VPN ipsec client i am able to connect on port TCP 10000 even though ASA outside

interface is not allowing anything?

 

Regards

MAhesh

Hi, when you say that you are

Hi, when you say that you are able to connect on port 10000, do you mean you can connect to ASA or to a device behind ASA? And is this after you successfully connected via VPN?

New Member

 Hi Rudy, When i say i

 

Hi Rudy,

 

When i say i connect via VPN IPSEC client i mean i connect to ASA itself not to any device

behind ASA.

Also when i do sh conn on ASA it does not show any ports used by VPN IPSEC.

 

Regards

 

MAhesh

If you connect using AC VPN

If you connect using AC VPN client, you are connecting to port 443 as AC VPN client is using SSL for connection. Here is an example:

ASA# show asp table socket

Protocol  Socket    Local Address         Foreign Address         State
---- <output omitted> ----
TCP       00268688  b.b.b.b:22            a.a.a.a:62640     ESTAB
SSL       00278f48  b.b.b.b:443           a.a.a.a:64909     ESTAB
SSL       0027e738  b.b.b.b:443           a.a.a.a:57641     ESTAB
SSL       00285998  b.b.b.b:443           a.a.a.a:61188     ESTAB
SSL       00291168  b.b.b.b:443           a.a.a.a:27885     ESTAB
SSL       002a1628  b.b.b.b:443           a.a.a.a:62408     ESTAB
ASA# 
ASA# show conn all  
6 in use, 224 most used
TCP outside a.a.a.a:64603 NP Identity Ifc b.b.b.b:443, idle 0:00:18, bytes 2958, flags UOB
TCP outside a.a.a.a:54098 NP Identity Ifc b.b.b.b:443, idle 0:00:30, bytes 9338, flags UOB
TCP outside a.a.a.a:37676 NP Identity Ifc b.b.b.b:443, idle 0:00:35, bytes 1609, flags UOB
TCP outside a.a.a.a:57829 NP Identity Ifc b.b.b.b:443, idle 0:00:35, bytes 1257, flags UOB
UDP outside a.a.a.a:23174 NP Identity Ifc b.b.b.b:4500, idle 0:01:37, bytes 453, flags -
TCP outside a.a.a.a:62640 NP Identity Ifc b.b.b.b:22, idle 0:00:00, bytes 59676, flags UOB

If you connect using old Cisco VPN client, you are connecting to port 500 as Cisco VPN client is using IPSEC for connection. Here is an example:

ASA# show conn all        
3 in use, 224 most used
UDP outside a.a.a.a:15388 NP Identity Ifc b.b.b.b:4500, idle 0:00:13, bytes 2594, flags -
UDP outside a.a.a.a:54950 NP Identity Ifc b.b.b.b:500, idle 0:00:55, bytes 1317, flags -
TCP outside a.a.a.a:62640 NP Identity Ifc b.b.b.b:22, idle 0:00:00, bytes 106888, flags UOB

Above are standard default ports for VPN clients. So you shouldn't be connected to port 10000 on ASA unless you changed the default ports value.

HTH,

New Member

 Hi Rudy, I got the same

 

Hi Rudy,

 

I got the same output as per your reply.

So does this proves that when we do VPN or Anyconnect to ASA itself then

we do not need to open VPN ports on outside interface of ASA as that traffic

is destined for ASA itself right?

 

Best Regards

Mahesh

That's partially correct. You

That's not correct. You do need to open the port for 443 and 500 on the ASA, otherwise AC or VPN Client will not be able to establish a connection to the ASA. But you are not opening them using ACL.

By configuring crypto ikev1 enable command, you enable port 500 on ASA as IKE is using port 500 to communicate. The same as AC, you use the webvpn command. The different is that you can also enable port 443 using http server enable command on the ASA. 

Please rate helpful comments/answers.

New Member

 So learn something new today

 

So learn something new today.

Thanks for answering all the posts.

Best Regards

Mahesh

 

You are welcome, thank you

You are welcome, thank you for the rates.

99
Views
0
Helpful
9
Replies