Exposing the AnyConnect HTTPS service to outside network
- by Maciej Swic
We have a Cisco ASA 5505 with firmware ASA9.0(1) and ASDM 7.0(2). It is configured with a public ip address, and when trying to reach it from the outside by HTTPS for AnyConnect VPN, we get the following log output:
6 Nov 12 2012 07:01:40 <client-ip> 51000 <asa-ip> 443 Built inbound TCP connection 2889 for outside:<client-ip>/51000 (<client-ip>/51000) to identity:<asa-ip>/443 (<asa-ip>/443)
6 Nov 12 2012 07:01:40 <client-ip> 50999 <asa-ip> 443 Built inbound TCP connection 2890 for outside:<client-ip>/50999 (<client-ip>/50999) to identity:<asa-ip>/443 (<asa-ip>/443)
6 Nov 12 2012 07:01:40 <client-ip> 51000 <asa-ip> 443 Teardown TCP connection 2889 for outside:<client-ip>/51000 to identity:<asa-ip>/443 duration 0:00:00 bytes 0 No valid adjacency
6 Nov 12 2012 07:01:40 <client-ip> 50999 <asa-ip> 443 Teardown TCP connection 2890 for outside:<client-ip>/50999 to identity:<asa-ip>/443 duration 0:00:00 bytes 0 No valid adjacency
We finished the startup wizard and the anyconnect vpn wizard and here is the resulting configuration:
Cryptochecksum: 12262d68 23b0d136 bb55644a 9c08f86b
: Saved
: Written by enable_15 at 07:08:30.519 UTC Mon Nov 12 2012
!
ASA Version 9.0(1)
!
hostname vpn
domain-name office.<redacted>.com
enable password <redacted> encrypted
passwd <redacted> encrypted
names
ip local pool vpn-pool 192.168.67.2-192.168.67.253 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.68.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address <redacted> 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
domain-name office.<redacted>.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.68.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=vpn
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
<redacted>
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate f678a050
<redacted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.68.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcpd auto_config outside
!
dhcpd address 192.168.68.254-192.168.68.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.01065-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 3
anyconnect profiles GM-AnyConnect_client_profile disk0:/GM-AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_GM-AnyConnect internal
group-policy GroupPolicy_GM-AnyConnect attributes
wins-server none
dns-server value 192.168.68.254
vpn-tunnel-protocol ikev2 ssl-client
default-domain value office.<redacted>.com
webvpn
anyconnect profiles value GM-AnyConnect_client_profile type user
username <redacted> password <redacted> encrypted
tunnel-group GM-AnyConnect type remote-access
tunnel-group GM-AnyConnect general-attributes
address-pool vpn-pool
default-group-policy GroupPolicy_GM-AnyConnect
tunnel-group GM-AnyConnect webvpn-attributes
group-alias GM-AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:12262d6823b0d136bb55644a9c08f86b
: end
Clearly we are missing something, but the question is, what?
