Solved

SSL VPN ON CISCO ASA 5505

Posted on 2010-11-22
6
586 Views
Last Modified: 2012-05-10
Hello all, and thank you for your time.  I have a cisco asa 5505 as a firewall for the network and im also looking to use it as a SSL VPN.  I only have 1static IP and im looking to purchase more because I have an exchange server with OWA connected via SSL and I cant setup the ssl vpn since port 443 is already in use.  I am new with this device so if I could get some clarification on setting it up with the extra static IP.

am I correct in saying that the new static IP would be configured under a new VLAN ?  but based on my research I can only have 3 active VLANS (inside, outside, and dmz)  I currently have the inside lan and outside with the current 1 static IP.

1. for the other static IP how which is designated for use of the ssl vpn how can I configure that in the cisco asa vpn

can I have 2 outside vlans and the inside because the dmz is not in use and I have unused physical ports   ?
0
Comment
Question by:jrojas1213
6 Comments
 

Expert Comment

by:hagemanoh
ID: 34192172
The way you will want to approach this is using something called a static NAT.  When you get more static IPs your ISP will give you an "IP Block".  You will need to make, at a minimum an adjustment to the IP that is currently assigned to the outside interface of your ASA.  You will set that static NAT to point directly to your Exchange server.  You will then need to set up associated access rules to this static NAT in which you would only open up port 443 since you will using SSL/HTTPS for your OWA access.  That is how you will accomplish your outside OWA access to your Exchange server.
To accomplish what you are trying to do you shouldn't need to use VLANs at all.  Typically if you are assigning static IPs to physical interfaces you are only able to bind 1 IP to the physical interface.  This unless you enable trunking on the port.  In any case I won't be creating any VLANs for your extra statics in what you are trying to accomplish.  To answer your question about being able to use the extra physical port you may be able to but being it is designated for DMZ I'm not 100% sure.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34192315
that is where I was confused, I'm familar with static NAT when I receive the IP block from MY ISP  and I have to reconfigure the ASA with the block how do I enter the block of IP'S.  currently looking at the configuration it only takes 1outside IP/subnet mask.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 150 total points
ID: 34192703
The ASA's outside interface gets 1 IP.   The others are for use with Static 1 to 1 NATs for internal servers or other solutions.  

So x.x.x.1 is for the ASA external interface.   This IP is used for SSL vpn.
x.x.x.2 Nat'd to an internal email server.   This IP is used for your MX mail record.
x.x.x.3 Nat'd to an internal WWW server.  This IP is your www traffic.  

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Assisted Solution

by:djcapone
djcapone earned 100 total points
ID: 34192748
By default, all ports of the switch (with the exception of the WAN port 0) are assigned to be in the "inside" VLAN.  You do not have any need for an additional VLAN.

To assign the IPs, you merely need to define static translations for the additional IPs.  If you provided the config and/or network topology I could provide the exact commands needed, but as an example:

Assuming your inside network uses 192.168.1.0 /24 for a subnet and your external static ip assignment is 1.X.X.0 /29, you would use the allocation as follows:

assign ip to the outside interface:

interface vlan2
ip address 1.X.X.1 255.255.255.248

For each static translation you want to setup for the additional IPs:

static (inside,outside) 1.X.X.2 192.168.1.2 netmask 255.255.255.255
static (inside,outside) 1.X.X.3 192.168.1.3 netmask 255.255.255.255

Etc.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34197396
I am now thinking of purchasing a ssl VPN appliance and leaving the Asa as the firewall.  im looking for more features such as virus scanning built in.  

essentially I will have to do the same ( static nat) with a standalone ssl vpn since it will be behind the firewall, correct ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34198086
Yes.    If you have a block of IPs, then this should not be a problem.  
 

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now