Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 5510 WebVPN from outside not working

Hi,

i have an ASA5510 with the following interfaces configured:

Ethernet0/0, inside, 192.168.1.x

Ethernet0/1, inside2, 192.168.9.x

Ethernet0/2, public, 193.x.x.1

Ethernet0/3, outside, 194.x.x.x

where the public interface has our public routed subnet and the outside interface is connected to our ISPs gateway. The outside IP is not routable in the internet (its a inter-router subnet from our ISP).

I have internet access from the hosts connected to the public interface (which have IPs from out public subnet, e.g. 193.x.x.20),

but i cant access the webvpn portal (which is enabled on the public interface) from outside.

When i access https://193.x.x.1, the browser says Connection reset, in the ASA syslog im seeing:

Built inbound TCP connection for outside:x.x.x.x to identity:193.x.x.1/443

Teardown TCP connection for outside:x.x.x.x to identity:193.x.x.1/443 TCP Reset-I

When i am on a host connected our public subnet (say: 193.x.x.20) i can access the webvpn portal on 193.x.x.1.

Is it possible to access the webvpn portal from the internet (via the outside interface), in some sort of way?

Or do i need a router between our ISPs router an our asa?

Attached you find a condensed version of my configuration.

Any help greatly appreciated!

Kind regards,

Christopher

Everyone's tags (4)
6 REPLIES
Hall of Fame Super Silver

ASA 5510 WebVPN from outside not working

I suspect you are seeing asymmetric routing when trying to access the 193.x.x.x interface from anywhere non-local since the default route tells the ASA to send return traffic out the 194.x.x.x interface.

Why are there two separate interfaces public and outside?

New Member

ASA 5510 WebVPN from outside not working

Marvin Rhoads wrote:

Why are there two separate interfaces public and outside?

Our ISP is routing our public subnet (193.x.x.x) via the 194.x.x.x network. In order to connect to the ISPs gateway which is 194.x.x.1 i have configured the outside interface with 194.x.x.2.

I want to know if its possible to configure the asa in a way that i dont need an additional router in between our ISP and our ASA.

Thanks in advance!

Hall of Fame Super Silver

ASA 5510 WebVPN from outside not working

Cant you just have your ISP make their interface one of the addresses in your public 193.x.x.x/24 and use that as your gateway? The 194.x.x.x network serves no constructive purpose does it?

New Member

ASA 5510 WebVPN from outside not working

Thanks for your answer!

You're right the 194.x.x.x network is just a transfer network from our ISP.

So that setup isn't working in that way with our ASA, right? If not im contacting my ISP for that IP address config change.

Hall of Fame Super Silver

ASA 5510 WebVPN from outside not working

That would be my recommendation. The ASA will generally want to send replies out the same path they came in on.

See this article for more explanation of the woes of asymmetric routing on the ASA.

New Member

ASA 5510 WebVPN from outside not working

I called my ISP for a configuration change, so that the 194.x.x.1 IP is accessible from outside, and now it is working!

What i originally wanted is answered in this thread: https://supportforums.cisco.com/thread/2034016

"Can a "proxy-arp'ed" IP address be used as a VPN endpoint or peer address?"

Since thats not possible the ISP had to made that configuration change.

Thank you for pointing me into the right direction!

Regards,

Christopher

432
Views
4
Helpful
6
Replies
CreatePlease to create content