Solved

SSL VPN ON CISCO ASA 5505

Posted on 2010-11-22
6
600 Views
Last Modified: 2012-05-10
Hello all, and thank you for your time.  I have a cisco asa 5505 as a firewall for the network and im also looking to use it as a SSL VPN.  I only have 1static IP and im looking to purchase more because I have an exchange server with OWA connected via SSL and I cant setup the ssl vpn since port 443 is already in use.  I am new with this device so if I could get some clarification on setting it up with the extra static IP.

am I correct in saying that the new static IP would be configured under a new VLAN ?  but based on my research I can only have 3 active VLANS (inside, outside, and dmz)  I currently have the inside lan and outside with the current 1 static IP.

1. for the other static IP how which is designated for use of the ssl vpn how can I configure that in the cisco asa vpn

can I have 2 outside vlans and the inside because the dmz is not in use and I have unused physical ports   ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:hagemanoh
ID: 34192172
The way you will want to approach this is using something called a static NAT.  When you get more static IPs your ISP will give you an "IP Block".  You will need to make, at a minimum an adjustment to the IP that is currently assigned to the outside interface of your ASA.  You will set that static NAT to point directly to your Exchange server.  You will then need to set up associated access rules to this static NAT in which you would only open up port 443 since you will using SSL/HTTPS for your OWA access.  That is how you will accomplish your outside OWA access to your Exchange server.
To accomplish what you are trying to do you shouldn't need to use VLANs at all.  Typically if you are assigning static IPs to physical interfaces you are only able to bind 1 IP to the physical interface.  This unless you enable trunking on the port.  In any case I won't be creating any VLANs for your extra statics in what you are trying to accomplish.  To answer your question about being able to use the extra physical port you may be able to but being it is designated for DMZ I'm not 100% sure.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34192315
that is where I was confused, I'm familar with static NAT when I receive the IP block from MY ISP  and I have to reconfigure the ASA with the block how do I enter the block of IP'S.  currently looking at the configuration it only takes 1outside IP/subnet mask.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 150 total points
ID: 34192703
The ASA's outside interface gets 1 IP.   The others are for use with Static 1 to 1 NATs for internal servers or other solutions.  

So x.x.x.1 is for the ASA external interface.   This IP is used for SSL vpn.
x.x.x.2 Nat'd to an internal email server.   This IP is used for your MX mail record.
x.x.x.3 Nat'd to an internal WWW server.  This IP is your www traffic.  

0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 6

Assisted Solution

by:djcapone
djcapone earned 100 total points
ID: 34192748
By default, all ports of the switch (with the exception of the WAN port 0) are assigned to be in the "inside" VLAN.  You do not have any need for an additional VLAN.

To assign the IPs, you merely need to define static translations for the additional IPs.  If you provided the config and/or network topology I could provide the exact commands needed, but as an example:

Assuming your inside network uses 192.168.1.0 /24 for a subnet and your external static ip assignment is 1.X.X.0 /29, you would use the allocation as follows:

assign ip to the outside interface:

interface vlan2
ip address 1.X.X.1 255.255.255.248

For each static translation you want to setup for the additional IPs:

static (inside,outside) 1.X.X.2 192.168.1.2 netmask 255.255.255.255
static (inside,outside) 1.X.X.3 192.168.1.3 netmask 255.255.255.255

Etc.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34197396
I am now thinking of purchasing a ssl VPN appliance and leaving the Asa as the firewall.  im looking for more features such as virus scanning built in.  

essentially I will have to do the same ( static nat) with a standalone ssl vpn since it will be behind the firewall, correct ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34198086
Yes.    If you have a block of IPs, then this should not be a problem.  
 

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question