Solved

Assign URL or DOMAIN to VPN Address on Cisco ASA5505

Posted on 2010-09-17
9
612 Views
Last Modified: 2012-05-10
How do you assign a URL or DOMAIN to a VPN Address on Cisco ASA5505.

I.E., my VPN address is https://75.149.66.201:500.  I want to browse this URL with something like https://vpn.com.

I have added an entry in my public DNS to forward to the IP, but I am not sure how to make the change on the ASA accomodate this.

Thanks so much...
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password * encrypted
passwd * encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set *
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password * encrypted privilege 15
username admin password * encrypted privilege 15
username "test1" password * encrypted privilege 15
username obautista password * encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:*
: end
ciscoasa#

Open in new window

0
Comment
Question by:obautista
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33703183
your ASA doesnt need to know about the domain address to reach it. You just create a DNS-record pointing to the ASA interface and it responds.

One caveat is if you have a web server certificate in the ASA. In that case the ASA need to have the certificate installed, that certificate need to be issued to the domain-name and the domain-name must be resolvable to the ASA ip.

But you still doesnt configure a dns name in the ASA for the web server.

/Kvistofta
0
 

Author Comment

by:obautista
ID: 33703283
On my public DNS I have several DNS records going to 75.149.66.201.  Then on my ASA I have rules fowarding to the appropriate local IPs based on PORT #.  For example, I have mail.technologyblends.com in my public DNS forwarding to 75.149.66.201.  I created another DNS record of vpn.technologyblends.com to also foward to 75.149.66.201.  Then on my ASA I have SMTP traffic coming in on 75.149.66.201 forwarded to 192.168.1.3 on the inside.  How would the ASA know to resolve vpn.technologyblends.com as https://75.149.66.201:500?

I also do have a UCC/SAN SSL Cert with multiple SANs.  I included a SAN of vpn.technologyblends.com, hoping to use it for the VPN URL.  Is this possible?
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33703450
ASA has nothing to do with DNS. It only looks at traffic to a specific ip-port-combination and forwards/translates that to a ip-port on inside. Which dns hostname the client used to reach the resource is totally irellevant for the ASA.

Your second question. I dont know about UCC/SAN. However, I know that customers has tried to use wildcard SSL certs in ASA without success.

/Kvistofta
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:obautista
ID: 33703524
I apologize.  Makes sense now.  I was over-thinking the configuration.  How do I install the Cert on the ASA?  Basically, I want to get rid of the invalid cert message that comes up when I browse the VPN URL.  

Also, I want to change the VPN port from 500 to 443. I realize I already have 443 taken on IP 75.149.66.201.  Therefore, I want to change VPN IP to 75.149.66.203 and use port 443 for this.  Looking at my configuration on this thread, can you help me with the commands to make this change?

Thanks so much....
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 500 total points
ID: 33703665
This URL describes how to install a web cert on ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml

Regarding the ip. All vpn (ssl, ipsec, l2tp) terminates on the ASA interface ip. If you need to change which ip to terminate the vpn on you have to change the interface ip on the firewall.

/Kvistofta
0
 

Author Comment

by:obautista
ID: 33703819
Thanks.  So to change the interface IP would I run the following (changing from 75.149.66.201  to  75.149.66.203) and also changing port from 500 to 443.  Not sure if the syntax is right.  Is this all I would need to run without breaking my other stuff.

config t
interface Vlan2
 ip address 75.149.66.203 255.255.255.248
webvpn port 443
wr mem
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33703843
Yes, that looks correct.

/Kvistofta
0
 

Author Comment

by:obautista
ID: 33703926
Thanks.  I will make the change tonight and post my results.
0
 

Author Comment

by:obautista
ID: 33708218
I used instructions below to install godaddy cert on my ASA.  I found them here:

http://serverfault.com/questions/32443/any-problems-usinga-godaddy-ssl-certificate-on-a-cisco-asa-firewall


I have a GoDaddy (standard, not deluxe) wildcard certificate that I use on my ASA 5510 for ASDM access. ASDM says that "SSL parameters affect both ASDM and SSL VPN access," so if it works for me, it should for you and SSL VPNs.

I did have problems importing a .pem version of my certificate chain. Using a *.pfx (like IIS uses) worked fine.

I grabbed gd_intermediate.crt from https://certs.godaddy.com/Repository.go

In ASDM, Configuration, Device Management, Certificate Management, CA Certificates; click Add, don't change any defaults, install from file, locate the gd_intermediate.crt file.

I also tried loading gd_bundle.crt which some of our certs use and that failed, but since gd_intermediate.crt worked and that's what my wildcard uses, I didn't test any more.

Once the intermediate cert is loaded, go to Identity Certificates (right below CA Certificates) and do something similar (Add, import from file, chose the .pfx file, and enter the password for the .pfx.

Now that the cert is successfully installed, set which interfaces it will be used on. That's under Device Management, Advanced, SSL Settings. Click the interface (probably outside), click Edit, and choose the Trustpoint name of the certificate you added in the last step. Click OK, Apply, and try going to your https://vpn.url and see if it loads the right cert.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question