?
Solved

SSL VPN ON CISCO ASA 5505

Posted on 2010-11-22
6
Medium Priority
?
606 Views
Last Modified: 2012-05-10
Hello all, and thank you for your time.  I have a cisco asa 5505 as a firewall for the network and im also looking to use it as a SSL VPN.  I only have 1static IP and im looking to purchase more because I have an exchange server with OWA connected via SSL and I cant setup the ssl vpn since port 443 is already in use.  I am new with this device so if I could get some clarification on setting it up with the extra static IP.

am I correct in saying that the new static IP would be configured under a new VLAN ?  but based on my research I can only have 3 active VLANS (inside, outside, and dmz)  I currently have the inside lan and outside with the current 1 static IP.

1. for the other static IP how which is designated for use of the ssl vpn how can I configure that in the cisco asa vpn

can I have 2 outside vlans and the inside because the dmz is not in use and I have unused physical ports   ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:hagemanoh
ID: 34192172
The way you will want to approach this is using something called a static NAT.  When you get more static IPs your ISP will give you an "IP Block".  You will need to make, at a minimum an adjustment to the IP that is currently assigned to the outside interface of your ASA.  You will set that static NAT to point directly to your Exchange server.  You will then need to set up associated access rules to this static NAT in which you would only open up port 443 since you will using SSL/HTTPS for your OWA access.  That is how you will accomplish your outside OWA access to your Exchange server.
To accomplish what you are trying to do you shouldn't need to use VLANs at all.  Typically if you are assigning static IPs to physical interfaces you are only able to bind 1 IP to the physical interface.  This unless you enable trunking on the port.  In any case I won't be creating any VLANs for your extra statics in what you are trying to accomplish.  To answer your question about being able to use the extra physical port you may be able to but being it is designated for DMZ I'm not 100% sure.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34192315
that is where I was confused, I'm familar with static NAT when I receive the IP block from MY ISP  and I have to reconfigure the ASA with the block how do I enter the block of IP'S.  currently looking at the configuration it only takes 1outside IP/subnet mask.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 600 total points
ID: 34192703
The ASA's outside interface gets 1 IP.   The others are for use with Static 1 to 1 NATs for internal servers or other solutions.  

So x.x.x.1 is for the ASA external interface.   This IP is used for SSL vpn.
x.x.x.2 Nat'd to an internal email server.   This IP is used for your MX mail record.
x.x.x.3 Nat'd to an internal WWW server.  This IP is your www traffic.  

0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 6

Assisted Solution

by:djcapone
djcapone earned 400 total points
ID: 34192748
By default, all ports of the switch (with the exception of the WAN port 0) are assigned to be in the "inside" VLAN.  You do not have any need for an additional VLAN.

To assign the IPs, you merely need to define static translations for the additional IPs.  If you provided the config and/or network topology I could provide the exact commands needed, but as an example:

Assuming your inside network uses 192.168.1.0 /24 for a subnet and your external static ip assignment is 1.X.X.0 /29, you would use the allocation as follows:

assign ip to the outside interface:

interface vlan2
ip address 1.X.X.1 255.255.255.248

For each static translation you want to setup for the additional IPs:

static (inside,outside) 1.X.X.2 192.168.1.2 netmask 255.255.255.255
static (inside,outside) 1.X.X.3 192.168.1.3 netmask 255.255.255.255

Etc.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34197396
I am now thinking of purchasing a ssl VPN appliance and leaving the Asa as the firewall.  im looking for more features such as virus scanning built in.  

essentially I will have to do the same ( static nat) with a standalone ssl vpn since it will be behind the firewall, correct ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34198086
Yes.    If you have a block of IPs, then this should not be a problem.  
 

0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question