Link to home
Start Free TrialLog in
Avatar of PaulT780
PaulT780

asked on

Issue with Clientless SSL VPN

I recently purchased an ASA 5505 for my organisation and i have run into a bit of an issue with the Clientless SSL VPN.

The problem is that port 443 is currently forwarded to our web servers so before purchasing the device i thought i would be able to add mutliple outside interfaces to get around this problem but after receiving the device and talking to cisco (tech wasnt very helpful) it doesnt seem to support 2 interfaces different gateways, and i cant add a second interface that has an IP in the same subnet as the outside interface. The asa doesnt also seem to support secondary ip addresses.

So I am wondering if anyone has any ideas how i can have the Clientless SSL VPN work without changing its port so that users dont have to enter the port every time they go to it.
Avatar of ChopperCentury
ChopperCentury
Flag of United States of America image

You should be just fine with your configuration on the outside interface you currently have.
Here is a config guide for ASA clientless SSL VPN...
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Avatar of Krehtan
Krehtan

You could setup a forwarding webpage that goes to the ip/port that you're looking for.

Also as a quick note,  the ASA 5505 does not support sub interfaces (i.e. int eth 0/1.2).
Avatar of PaulT780

ASKER

The SSL VPN setup works fine, i have turned it on my inside interface and everything works.

The problem is i have forwarded port 443 to my web servers and the ssl vpn also run on port 443, i cant have 2 things running on port 443 on the outside interface. I am trying to find a solution that doesnt involve me chaning the port to something other then 443 which is a hassel for end users in my opinion (if they had to go to http://ipaddress:444 or something every time they wanted to access it)
Why is all 443 traffic forwarded to your web servers? Are you not using ACL's?
Our web servers are secured (https) for sales, so i have an ACL set to forward
ACL
---------------------
Source: Any
Destination: Outside IP Address
Service: https

Then a static nat transation
Source: 192.168.x.x (internal ip)
Service: https
Address: outside ip address

Have i configured that wrong?, if traffice is coming from the internet doesnt the source need to be "any" in the acl?
To get around this issue, you need a second public IP address.  If you only have one (for the outside interface), you will have to change the port to 444 for example.  If you have a second IP, you can simply NAT the webserver to the second IP and change DNS.
I do have 2 public ip addresses.

I have a secondary static IP which is in the same subnet as my primary static IP and i can also use DHCP if needed.

The problem with that is i cannot put the static IP on a second outside interface because it overlaps the 1st and i cannot use the DHCP address because the gateway is different and the ASA does not support 2 different gateways. The cisco techs solution to this was to ask my ISP to re-invite the internet :( and then he closed the case.

How can i NAT the webserver to the second IP?
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry, typo:

read = real
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yep, nice catch.
Thanks for the help, a lot more then the cisco tech provided.

I will try it out later tonight when i can make changes to the ASA.
Thanks so much for the help everything is working!