Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect SSL VPN conn denied on outside intfc

ASA5510 8.0(4)

I'm trying to setup AnyConnect on another ASA. I can't see the forest for the trees this time.

I keep getting a log msg about TCP/443 packet dropped by ACL on outside interface. I don't have an ACL denying 443 on the outside. I've done this before, but I cannot see my error. Any suggestions come to mind?

I even went so far as to follow Cisco's tech tip in Doc. #99757 just to be sure.

Classical non-SSL VPN client connectivty works fine.

Thx - Phil

3 REPLIES

Re: AnyConnect SSL VPN conn denied on outside intfc

Have you enabled webvpn on the outside interface?

New Member

Re: AnyConnect SSL VPN conn denied on outside intfc

Ivan - yes it is.

ASA5510# sho run webvpn

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

ASA5510#

Here are the peritinent config details (public IPs changed to protect the protected):

Note that there is also code for traditional non-SSL client and site-to-site VPN - all that works fine.

I have other ASAs with WebVPN enabled that work fine, I cannot see why this one is different/does not work. Probably a typo I cannot see.

!

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5510 Security Plus license.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 25.25.25.250 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.31.254.2 255.255.255.252

!

access-list ACL_OUT extended permit tcp 24.25.44.0 255.255.252.0 host 25.25.25.251 eq https

access-list ACL_OUT extended permit icmp any interface outside echo-reply

access-list ACL_OUT extended permit icmp any interface outside unreachable

access-list ACL_OUT extended permit icmp any interface outside time-exceeded

access-list NoNAT extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252

access-list SSLSplitAllowACL extended permit ip 172.20.1.0 255.255.255.0 172.31.253.0 255.255.255.252

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool SSLSplitAllowPool 172.31.253.1-172.31.253.2 mask 255.255.255.252

ip verify reverse-path interface outside

ip verify reverse-path interface inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 172.20.1.0 255.255.255.0

static (inside,outside) 25.25.25.251 172.20.1.9 netmask 255.255.255.255

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 25.25.25.249 1

route inside 172.20.1.0 255.255.255.0 172.31.254.1 1

dynamic-access-policy-record DfltAccessPolicy

http server enable 444

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ASA5510.local.com

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 6a6d4e86

0500304c 3121301f 06035504 03131843 44482d35 3531302e 57333637 30646f6d

98c13a65 d128ac77 d3eb55c1 ecc85d99 faf314

quit

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value 172.20.1.2

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLSplitAllowACL

default-domain value local.com

address-pools value SSLSplitAllowPool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username vpntest password encrypted privilege 0

username vpntest attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

New Member

Re: AnyConnect SSL VPN conn denied on outside intfc

Ivan - I got the OK to reload the 5510 - that fixed all the problems. I guess 8.0(4) still has some bugs.

The fact that the reload fixed this also restored my faith in me and my craft. :-)

445
Views
0
Helpful
3
Replies
CreatePlease to create content