Solved

SSL VPN ON CISCO ASA 5505

Posted on 2010-11-22
6
597 Views
Last Modified: 2012-05-10
Hello all, and thank you for your time.  I have a cisco asa 5505 as a firewall for the network and im also looking to use it as a SSL VPN.  I only have 1static IP and im looking to purchase more because I have an exchange server with OWA connected via SSL and I cant setup the ssl vpn since port 443 is already in use.  I am new with this device so if I could get some clarification on setting it up with the extra static IP.

am I correct in saying that the new static IP would be configured under a new VLAN ?  but based on my research I can only have 3 active VLANS (inside, outside, and dmz)  I currently have the inside lan and outside with the current 1 static IP.

1. for the other static IP how which is designated for use of the ssl vpn how can I configure that in the cisco asa vpn

can I have 2 outside vlans and the inside because the dmz is not in use and I have unused physical ports   ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:hagemanoh
ID: 34192172
The way you will want to approach this is using something called a static NAT.  When you get more static IPs your ISP will give you an "IP Block".  You will need to make, at a minimum an adjustment to the IP that is currently assigned to the outside interface of your ASA.  You will set that static NAT to point directly to your Exchange server.  You will then need to set up associated access rules to this static NAT in which you would only open up port 443 since you will using SSL/HTTPS for your OWA access.  That is how you will accomplish your outside OWA access to your Exchange server.
To accomplish what you are trying to do you shouldn't need to use VLANs at all.  Typically if you are assigning static IPs to physical interfaces you are only able to bind 1 IP to the physical interface.  This unless you enable trunking on the port.  In any case I won't be creating any VLANs for your extra statics in what you are trying to accomplish.  To answer your question about being able to use the extra physical port you may be able to but being it is designated for DMZ I'm not 100% sure.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34192315
that is where I was confused, I'm familar with static NAT when I receive the IP block from MY ISP  and I have to reconfigure the ASA with the block how do I enter the block of IP'S.  currently looking at the configuration it only takes 1outside IP/subnet mask.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 150 total points
ID: 34192703
The ASA's outside interface gets 1 IP.   The others are for use with Static 1 to 1 NATs for internal servers or other solutions.  

So x.x.x.1 is for the ASA external interface.   This IP is used for SSL vpn.
x.x.x.2 Nat'd to an internal email server.   This IP is used for your MX mail record.
x.x.x.3 Nat'd to an internal WWW server.  This IP is your www traffic.  

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 6

Assisted Solution

by:djcapone
djcapone earned 100 total points
ID: 34192748
By default, all ports of the switch (with the exception of the WAN port 0) are assigned to be in the "inside" VLAN.  You do not have any need for an additional VLAN.

To assign the IPs, you merely need to define static translations for the additional IPs.  If you provided the config and/or network topology I could provide the exact commands needed, but as an example:

Assuming your inside network uses 192.168.1.0 /24 for a subnet and your external static ip assignment is 1.X.X.0 /29, you would use the allocation as follows:

assign ip to the outside interface:

interface vlan2
ip address 1.X.X.1 255.255.255.248

For each static translation you want to setup for the additional IPs:

static (inside,outside) 1.X.X.2 192.168.1.2 netmask 255.255.255.255
static (inside,outside) 1.X.X.3 192.168.1.3 netmask 255.255.255.255

Etc.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34197396
I am now thinking of purchasing a ssl VPN appliance and leaving the Asa as the firewall.  im looking for more features such as virus scanning built in.  

essentially I will have to do the same ( static nat) with a standalone ssl vpn since it will be behind the firewall, correct ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34198086
Yes.    If you have a block of IPs, then this should not be a problem.  
 

0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question