OpenConnect to Cisco ASA

Started by spetrillo, November 30, 2023, 04:12:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 30, 2023, 04:12:34 AM
I know I am close...

I have installed and configured OpenConnect, to connect to a remote Cisco ASA firewall. It is using my user account and pswd I would normally use with AnyConnect. I see the routes showing up in OPNsense but I cannot ping the remote side from my PC. What am I missing...is it a firewall rule?
November 30, 2023, 08:18:57 AM #1
Do you see packets traversing the interface? Anything in logs at ASA side?
November 30, 2023, 03:47:41 PM #2
Quote from: mimugmail on November 30, 2023, 08:18:57 AM
Do you see packets traversing the interface? Anything in logs at ASA side?

Unfortunately I have no access to the ASA on the other side. What I can tell you is when OpenConnect is active the routes for the devices behind the ASA are showing up in the routing table of my OPNsense firewall. I can also ping a device behind the ASA successfully from the Interfaces/Diagnostics/Ping section of OPNsense. When I try to ping the same device behind the ASA, from my PC on a subnet behind the OPNsense firewall, I get nothing. That is what led me to believe I am missing a firewall rule?
November 30, 2023, 04:07:46 PM #3
New question...

Do I need to add the OpenConnect tunnel as an interface, like I had to with OpenVPN?
December 01, 2023, 01:30:33 PM #4
You need to nat your LAN to the interface address for this
December 01, 2023, 04:42:03 PM #5
Quote from: mimugmail on December 01, 2023, 01:30:33 PM
You need to nat your LAN to the interface address for this

I would assume an outbound NAT? I would assume the source is the OpenConnect side and the destination is my LAN side? Anything else I am missing? I have never used Outbound NATs yet.
December 01, 2023, 05:35:21 PM #6
Source is LAN, Dest is your networks behind ASA and interface the openconnect one
December 01, 2023, 06:52:57 PM #7
Quote from: mimugmail on December 01, 2023, 05:35:21 PM
Source is LAN, Dest is your networks behind ASA and interface the openconnect one

Does this look proper? Do I need to define anything on the firewall rules interface?
December 01, 2023, 07:38:58 PM #8
Destination address must be a net behind the ASA where you want to go to, rest is fine
December 01, 2023, 09:20:19 PM #9
Quote from: mimugmail on December 01, 2023, 07:38:58 PM
Destination address must be a net behind the ASA where you want to go to, rest is fine

I must be missing something because that did not do it. Attached are the two screenshots of what I have configured, as well as the routes being seen in the System/Status/Routes table. Am I missing anything?
December 02, 2023, 12:10:02 AM #10
172.24.16 and 172.25.16 needs to be in destination address field in outbound nat ;)
December 02, 2023, 01:00:32 AM #11
Quote from: mimugmail on December 02, 2023, 12:10:02 AM
172.24.16 and 172.25.16 needs to be in destination address field in outbound nat ;)

And thats why you are the expert and I am mere mortal. Thank you for staying with me. Its up and passing traffic. I am now able to use VMware vCenter Converter to P2V a physical server sitting in a DC in Texas onto my ESXi server in my homelab. I needed to get a site VPN up and IPSec was giving me issues. Since I had the ASA I figured OpenConnect would be a simple way to do this....and with some work it is. The NAT should be added to the documentation. There is nothing in the documentation that calls this out: https://docs.opnsense.org/manual/how-tos/openconnect.html

Ohhh btw...thanks for all the plugins you support. I use a few of them, especially the Plex Custom Options. Very handy!!
December 02, 2023, 11:53:23 AM #12
Thx for the feedback   8)
Print
Go Up Pages1
User actions