Solved

Assign URL or DOMAIN to VPN Address on Cisco ASA5505

Posted on 2010-09-17
9
601 Views
Last Modified: 2012-05-10
How do you assign a URL or DOMAIN to a VPN Address on Cisco ASA5505.

I.E., my VPN address is https://75.149.66.201:500.  I want to browse this URL with something like https://vpn.com.

I have added an entry in my public DNS to forward to the IP, but I am not sure how to make the change on the ASA accomodate this.

Thanks so much...
ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password * encrypted

passwd * encrypted

names

name 192.168.1.6 HTTP_ACCESS

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 75.149.66.201 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group service HTTP tcp

 port-object eq www

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061

access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https

access-list outside-access-in extended deny ip any any log

access-list INSIDE extended permit ip any any

access-list HTTP_access extended permit tcp any interface outside eq https inactive

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255

access-group INSIDE in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 75.149.66.206 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable 448

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec transform-set *

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set *

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint localtrust

 enrollment self

 crl configure

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

 port 500

 enable inside

 enable outside

 svc image disk0:/AnyConnect-Windows.pkg 1

 svc enable

 tunnel-group-list enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy cisco internal

group-policy cisco attributes

 dns-server value 192.168.1.2

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value cisco_splitTunnelAcl

 default-domain value techblendshost

 address-pools value RemoteClientPool

username test1 password * encrypted privilege 15

username admin password * encrypted privilege 15

username "test1" password * encrypted privilege 15

username obautista password * encrypted privilege 15

username obautista attributes

 vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

 address-pool RemoteClientPool

 default-group-policy cisco

tunnel-group cisco ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

 class global-class

  inspect ftp

!

prompt hostname context

Cryptochecksum:*

: end

ciscoasa#

Open in new window

0
Comment
Question by:obautista
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
your ASA doesnt need to know about the domain address to reach it. You just create a DNS-record pointing to the ASA interface and it responds.

One caveat is if you have a web server certificate in the ASA. In that case the ASA need to have the certificate installed, that certificate need to be issued to the domain-name and the domain-name must be resolvable to the ASA ip.

But you still doesnt configure a dns name in the ASA for the web server.

/Kvistofta
0
 

Author Comment

by:obautista
Comment Utility
On my public DNS I have several DNS records going to 75.149.66.201.  Then on my ASA I have rules fowarding to the appropriate local IPs based on PORT #.  For example, I have mail.technologyblends.com in my public DNS forwarding to 75.149.66.201.  I created another DNS record of vpn.technologyblends.com to also foward to 75.149.66.201.  Then on my ASA I have SMTP traffic coming in on 75.149.66.201 forwarded to 192.168.1.3 on the inside.  How would the ASA know to resolve vpn.technologyblends.com as https://75.149.66.201:500?

I also do have a UCC/SAN SSL Cert with multiple SANs.  I included a SAN of vpn.technologyblends.com, hoping to use it for the VPN URL.  Is this possible?
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
Comment Utility
ASA has nothing to do with DNS. It only looks at traffic to a specific ip-port-combination and forwards/translates that to a ip-port on inside. Which dns hostname the client used to reach the resource is totally irellevant for the ASA.

Your second question. I dont know about UCC/SAN. However, I know that customers has tried to use wildcard SSL certs in ASA without success.

/Kvistofta
0
 

Author Comment

by:obautista
Comment Utility
I apologize.  Makes sense now.  I was over-thinking the configuration.  How do I install the Cert on the ASA?  Basically, I want to get rid of the invalid cert message that comes up when I browse the VPN URL.  

Also, I want to change the VPN port from 500 to 443. I realize I already have 443 taken on IP 75.149.66.201.  Therefore, I want to change VPN IP to 75.149.66.203 and use port 443 for this.  Looking at my configuration on this thread, can you help me with the commands to make this change?

Thanks so much....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 500 total points
Comment Utility
This URL describes how to install a web cert on ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml

Regarding the ip. All vpn (ssl, ipsec, l2tp) terminates on the ASA interface ip. If you need to change which ip to terminate the vpn on you have to change the interface ip on the firewall.

/Kvistofta
0
 

Author Comment

by:obautista
Comment Utility
Thanks.  So to change the interface IP would I run the following (changing from 75.149.66.201  to  75.149.66.203) and also changing port from 500 to 443.  Not sure if the syntax is right.  Is this all I would need to run without breaking my other stuff.

config t
interface Vlan2
 ip address 75.149.66.203 255.255.255.248
webvpn port 443
wr mem
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Yes, that looks correct.

/Kvistofta
0
 

Author Comment

by:obautista
Comment Utility
Thanks.  I will make the change tonight and post my results.
0
 

Author Comment

by:obautista
Comment Utility
I used instructions below to install godaddy cert on my ASA.  I found them here:

http://serverfault.com/questions/32443/any-problems-usinga-godaddy-ssl-certificate-on-a-cisco-asa-firewall


I have a GoDaddy (standard, not deluxe) wildcard certificate that I use on my ASA 5510 for ASDM access. ASDM says that "SSL parameters affect both ASDM and SSL VPN access," so if it works for me, it should for you and SSL VPNs.

I did have problems importing a .pem version of my certificate chain. Using a *.pfx (like IIS uses) worked fine.

I grabbed gd_intermediate.crt from https://certs.godaddy.com/Repository.go

In ASDM, Configuration, Device Management, Certificate Management, CA Certificates; click Add, don't change any defaults, install from file, locate the gd_intermediate.crt file.

I also tried loading gd_bundle.crt which some of our certs use and that failed, but since gd_intermediate.crt worked and that's what my wildcard uses, I didn't test any more.

Once the intermediate cert is loaded, go to Identity Certificates (right below CA Certificates) and do something similar (Add, import from file, chose the .pfx file, and enter the password for the .pfx.

Now that the cert is successfully installed, set which interfaces it will be used on. That's under Device Management, Advanced, SSL Settings. Click the interface (probably outside), click Edit, and choose the Trustpoint name of the certificate you added in the last step. Click OK, Apply, and try going to your https://vpn.url and see if it loads the right cert.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now