Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SSL VPN ON CISCO ASA 5505

Posted on 2010-11-22
6
Medium Priority
?
608 Views
Last Modified: 2012-05-10
Hello all, and thank you for your time.  I have a cisco asa 5505 as a firewall for the network and im also looking to use it as a SSL VPN.  I only have 1static IP and im looking to purchase more because I have an exchange server with OWA connected via SSL and I cant setup the ssl vpn since port 443 is already in use.  I am new with this device so if I could get some clarification on setting it up with the extra static IP.

am I correct in saying that the new static IP would be configured under a new VLAN ?  but based on my research I can only have 3 active VLANS (inside, outside, and dmz)  I currently have the inside lan and outside with the current 1 static IP.

1. for the other static IP how which is designated for use of the ssl vpn how can I configure that in the cisco asa vpn

can I have 2 outside vlans and the inside because the dmz is not in use and I have unused physical ports   ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:hagemanoh
ID: 34192172
The way you will want to approach this is using something called a static NAT.  When you get more static IPs your ISP will give you an "IP Block".  You will need to make, at a minimum an adjustment to the IP that is currently assigned to the outside interface of your ASA.  You will set that static NAT to point directly to your Exchange server.  You will then need to set up associated access rules to this static NAT in which you would only open up port 443 since you will using SSL/HTTPS for your OWA access.  That is how you will accomplish your outside OWA access to your Exchange server.
To accomplish what you are trying to do you shouldn't need to use VLANs at all.  Typically if you are assigning static IPs to physical interfaces you are only able to bind 1 IP to the physical interface.  This unless you enable trunking on the port.  In any case I won't be creating any VLANs for your extra statics in what you are trying to accomplish.  To answer your question about being able to use the extra physical port you may be able to but being it is designated for DMZ I'm not 100% sure.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34192315
that is where I was confused, I'm familar with static NAT when I receive the IP block from MY ISP  and I have to reconfigure the ASA with the block how do I enter the block of IP'S.  currently looking at the configuration it only takes 1outside IP/subnet mask.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 600 total points
ID: 34192703
The ASA's outside interface gets 1 IP.   The others are for use with Static 1 to 1 NATs for internal servers or other solutions.  

So x.x.x.1 is for the ASA external interface.   This IP is used for SSL vpn.
x.x.x.2 Nat'd to an internal email server.   This IP is used for your MX mail record.
x.x.x.3 Nat'd to an internal WWW server.  This IP is your www traffic.  

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:djcapone
djcapone earned 400 total points
ID: 34192748
By default, all ports of the switch (with the exception of the WAN port 0) are assigned to be in the "inside" VLAN.  You do not have any need for an additional VLAN.

To assign the IPs, you merely need to define static translations for the additional IPs.  If you provided the config and/or network topology I could provide the exact commands needed, but as an example:

Assuming your inside network uses 192.168.1.0 /24 for a subnet and your external static ip assignment is 1.X.X.0 /29, you would use the allocation as follows:

assign ip to the outside interface:

interface vlan2
ip address 1.X.X.1 255.255.255.248

For each static translation you want to setup for the additional IPs:

static (inside,outside) 1.X.X.2 192.168.1.2 netmask 255.255.255.255
static (inside,outside) 1.X.X.3 192.168.1.3 netmask 255.255.255.255

Etc.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34197396
I am now thinking of purchasing a ssl VPN appliance and leaving the Asa as the firewall.  im looking for more features such as virus scanning built in.  

essentially I will have to do the same ( static nat) with a standalone ssl vpn since it will be behind the firewall, correct ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34198086
Yes.    If you have a block of IPs, then this should not be a problem.  
 

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question