Can’t Access ASA Public IP Address – AnyConnect

[Caponewgp]

#167448

I’m having issues replacing a 5505 with a 5506 with AnyConnect configured. The firewall is only used for the anyconnect connections so it’s a really basic configuration. The firewall outside port is connected to a separate internet line from our ISP but I can’t access the SSL page from any external location. Internally I can tracert and see the traffic leave my firewall then reach my ISP and re-enter the new 5505 AnyConnect firewall. But from a public location it never seems to reach. I think I might be missing something incredibly easy. I’m pretty new with the ASA but have set up a few other AnyConnect VPN connections on other firewalls and never had issues.

When I try to access the SSL Login page from a public location I see the “Built Inbound TCP Connection” Then Teardown TCP Connection SYN Timeout.

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1249 MHz, 1 CPU (4 cores)
: Written by tech at 09:50:47.949 EST Fri Mar 2 2018
!
ASA Version 9.8(1)
!
hostname Townsend
domain-name
enable password
names
ip local pool VPN_Pool 192.168.50.1-192.168.50.10 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address REDACTED 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.3.171 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns server-group DefaultDNS
domain-name
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.50.0_28
subnet 192.168.50.0 255.255.255.240
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
access-list OUTSIDE extended permit icmp any4 any4 echo
access-list OUTSIDE extended permit icmp any4 any4 traceroute
access-list OUTSIDE extended permit icmp any4 any4 source-quench
access-list OUTSIDE extended permit icmp any4 any4 unreachable
access-list OUTSIDE extended permit icmp any4 any4 time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.50.0_28 NETWORK_OBJ_192.168.50.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0
route inside 192.168.4.0 255.255.252.0 192.168.3.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Townsend
ip-address REDACTED
keypair CC-VPN
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.4.0 255.255.252.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 192.168.3.3
vpn-tunnel-protocol ssl-client
default-domain value
dynamic-access-policy-record DfltAccessPolicy
username tech password
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_Pool
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum

[Author]

Posts