Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
0
Helpful
7
Replies

ASA 5505 webvpn no response

samlystor
Level 1
Level 1

‎02-24-2012 03:29 AM

Hi,

Im trying to setup WebVPN, however no matter what I try I cannot reach the HTTPS/vpn page from outside my network to be able to sign in to the ASA.

Setup is fairly simple - inside 10.0.0.0 for devices / outside PPOE to modem

No matter what I try, I cannot get a response from the HTTPS server on the outside.

Thanks in advance

Sam

SH RUN

**********************************

ASA Version 8.4(2)

!

hostname CiscoASA-01

domain-name name.ext

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

!

interface Ethernet0/1

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 4

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ISP

ip address pppoe setroute

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 172.16.1.1 255.0.0.0

!

interface Vlan4

nameif management

security-level 100

ip address 192.168.1.101 255.255.255.0

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name domain.ext

same-security-traffic permit intra-interface

object network insidepc

host 10.0.0.20

object service Microsoft_RDP

service tcp destination eq 3389

description Remote Desktop Access

object network ASA

host 10.0.0.1

object service VPN_https

service tcp source eq https destination eq https

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp-udp destination eq www

service-object object VPN_https

service-object tcp destination eq https

object-group service Mystery tcp

port-object eq 58627

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object tcp-udp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq www

service-object tcp destination eq https

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_access_in extended permit object Microsoft_RDP any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_3 any any

access-list outside_access_out extended permit object Microsoft_RDP object insidepc interface outside

pager lines 24

logging enable

logging buffered warnings

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside,any) source static any any destination static interface insidepc service Microsoft_RDP Microsoft_RDP

nat (inside,outside) source static any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=CiscoASA-01

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate ba9a424f

    30820254 308201bd a0030201 020204ba 9a424f30 0d06092a 864886f7 0d010105

    0500303c 31143012 06035504 03130b43 6973636f 4153412d 30313124 30220609

    2a864886 f70d0109 02161543 6973636f 4153412d 30312e6c 7973746f 722e6575

    301e170d 31323032 32313139 33343331 5a170d32 32303231 38313933 3433315a

    303c3114 30120603 55040313 0b436973 636f4153 412d3031 31243022 06092a86

    4886f70d 01090216 15436973 636f4153 412d3031 2e6c7973 746f722e 65753081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100dc 9449e0bf

    c8f565b5 9cfb66db 9006a4bc 50bcf44e d38bfdb4 b81c990e 1c35f0ef e283b530

    0d1854e7 6561293f 4b4115a9 beff4668 e318fe14 564dfa65 4a11d973 da4409f6

    08387755 615c7151 7191a09f f1c0b5a8 49ee71b1 44243fde 9381f916 cbe1d102

    2b76b58d 247e7a89 38750a3f b25f604d 376409c4 5a182d8a 632e1b02 03010001

    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04

    04030201 86301f06 03551d23 04183016 8014d086 194ecf03 46f66324 08d0e51d

    04b37c82 66ea301d 0603551d 0e041604 14d08619 4ecf0346 f6632408 d0e51d04

    b37c8266 ea300d06 092a8648 86f70d01 01050500 03818100 11ad656d aa744314

    6e761b1b de5c42cd d0c692e2 88da9710 986cf206 4555d1ef 805225be f00a1c89

    24f0368a 838e9c32 54e3c39e 0d4e4859 81ecc51f 56725036 e5ad8e10 2aa37bb8

    ab6982b9 e0a8b6e3 01e4d3aa 1814bbfa b6e55cc1 049971ed 6ddc9340 7ebd0709

    2c109a6a f2b25500 c05cb378 68a83a3c b9a197ae 3db3add3

  quit

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group BT request dialout pppoe

vpdn group BT localname user@isp

vpdn group BT ppp authentication chap

vpdn username user@isp password xxx store-local

dhcpd address 10.0.0.50-10.0.0.128 inside

dhcpd dns 10.0.0.10 8.8.8.8 interface inside

dhcpd wins 10.0.0.10 interface inside

dhcpd domain name.ext interface inside

dhcpd enable inside

!

dhcpd address 172.16.1.2-172.16.1.10 DMZ

dhcpd dns 8.8.8.8 interface DMZ

dhcpd enable DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect enable

group-policy Name_WebVPN internal

group-policy Name_WebVPN attributes

vpn-tunnel-protocol ssl-client ssl-clientless

webvpn

  url-list value name.ext

username sName password bfIwO7SMJhE/ekQm encrypted privilege 0

username sName attributes

vpn-group-policy Name_WebVPN

tunnel-group DefaultL2LGroup general-attributes

default-group-policy Name_WebVPN

tunnel-group DefaultRAGroup general-attributes

default-group-policy Name_WebVPN

tunnel-group DefaultWEBVPNGroup general-attributes

default-group-policy Name_WebVPN

tunnel-group Name_WebVPN type remote-access

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:316091bfa8ba73dce98b48cccdec1f22

: end

Labels:
0 Helpful
7 Replies 7

Matt Lang
Level 1
Level 1

‎02-24-2012 04:21 AM

Sam,

Can you post a 'sh ip address'? In your config for vlan2 you tell it to use a group called ISP but your group is called BT.

Matt

Sent from Cisco Technical Support iPhone App

0 Helpful

samlystor
Level 1
Level 1
In response to Matt Lang

‎02-24-2012 04:35 AM

Hi Matt,

Sorry, thats me just changing words before I posted the config to the net!

The group is indeed BT - PPOE to the outside works fine and all the devices can contact the internet ok

Sam

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee

‎02-24-2012 12:01 PM

Assuming your routing is right via PPPOE, I'd guess you can't use that cert for both ikev2 and ssl.

Try generating a new trustpoint/cert, referencing that in your webvpn config.  (don't mess with ASDM_Trustpoint0 if that has working ikev2)

Better yet, do a 'debug crypto ca 255' when you try to connect and see if you are getting any ssl errors. If so, then generate a new trustpoint/cert and reference it in webvpn.

--Jason

0 Helpful

samlystor
Level 1
Level 1
In response to Jason Gervia

‎02-26-2012 04:20 AM

I generated a new cert, using a new trust point. I then went through the wizard again, but it still doesn't work.

Using the debug crypto command doesnt show anything in the buffer or console log

I would wipe the ASA and start afresh, but i've already done this once and it still doesn't work!!

:-/

Thanks

Sam

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to samlystor

‎02-27-2012 09:51 AM

Sam,

I would run a packet capture to see if port 443 packets are making it to the interface.    If so, run a 'debug webvpn 255' to see what, if anything, is going on when the packets hit the ASA. 

--Jason

0 Helpful

samlystor
Level 1
Level 1
In response to Jason Gervia

‎02-28-2012 12:58 AM

Hi Jason,

Thanks for the suggestion. I started afresh and created a new cert via the command line. WebVPN now works on the inside interface, so I can verify that the self signed cert appears to be working ok.

debug webvpn 255 shows activity when I access it from inside, but nothing when tried externally.

I have also changed the port to 8000, however this makes no difference. Im starting to suspect that its my modem thats interferring, but I cant see how considering as I have no other connection issues.

Sam

Edit: I monitored the comms between the client pc and my ASA with wireshark.

The grey packets are where the request to the site started. The first 4 are with IE6, and the second with FF10

0 Helpful

samlystor
Level 1
Level 1
In response to samlystor

‎03-16-2012 07:11 AM

I've still yet to get this to work, so I think I will just try to go down the AnyConnect route instead.

The only thing I have concluded is that the ASA is treating incoming 443 traffic as an attempt to connect to an internal source. If I leave the ACL off for 443 (i just had it on for a test) I can see traffic hitting the firewall on that port from the client PC I am using on another network. If I turn the ACL back on, it doesn't register any further activity.

I have checked that the ASA is set to bypass ACL's for inbound Clientless SSL connections.

My other thought is that it could be that I still have 256mb of RAM in the ASA, and that is affecting it in some way. I had to go back from 512 to 256 a while back as it seems that the stick of 512 that I was using was far too unstable and it caused the ASA to crash every day.

Has anyone any other thoughts on this issue?

Thanks

Sam

0 Helpful
Customers Also Viewed These Support Documents