• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1107
  • Last Modified:

IPSEC over SSL on Cisco ASA

Hello,

I need to get IPSEC VPN connections working over Port 443. Can someone help me set this up on an ASA Firewall?
0
Methodman85
Asked:
Methodman85
  • 4
  • 3
1 Solution
 
Pete LongTechnical ConsultantCommented:
You Cant,  IPSEC uses ISAKMP (UDP500) and ESP (TCP50) the are do different VPN methods all together? what is the problem you are trying to solve?
0
 
Methodman85Author Commented:
The problem I have is that our Parent company does not allow IPsec connections from their network. We have services people who need to connect to customer sites. If they can initiate these IPSEC VPN connections over port 443 which is allowed, instead of the standard IPSEC ports, then things would be great.


Something like this wouldn't work?


Example 16-29. IPSec over TCP Configuration
Chicago(config)# isakmp ipsec-over-tcp port 10000


To verify whether the VPN clients are using IPSec over TCP, you can use the show crypto ipsec sa | include settings command, as demonstrated in Example 16-30. The "in use settings" option indicates that the particular VPN connection is a remote-access tunnel using TCP encapsulation.

Example 16-30. Verifying VPN Client Use of IPSec over TCP
Chicago(config)# show crypto ipsec sa | include settings

         in use settings ={RA, Tunnel,    TCP-Encaps, }

         in use settings ={RA, Tunnel,    TCP-Encaps, }

0
 
jkeegan123Commented:
Are you trying to VPN to a site, or are you trying to have a site VPN to you?  Is sounds like you want to enable "SSL VPN" on the device, which is supported in all ASAs, even the 10 user ASA supports (2) concurrent SSL VPNs.

More details please.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Methodman85Author Commented:
We have employees at a parent site, who need to connect to our branch site. We currently have 25 concurrent SSL connections, which allows users from the parent site, and road users to connect to our branch site. We constantly reach that 25 SSL limit, and we are not permitted to purchase more licenses, since we have unlimited concurrent IPsec connections, and Initiating IPSEC connections from the parent site is not permitted, I would like to have the IPsec connections initiated from the parent through 443 instead of the standard IPsec ports.

A site to site VPN between these 2 sites is not permitted, so I must get this done via a client to site scenario.

Does this make more sense?
0
 
jkeegan123Commented:
It does, yes....and unfortunately, you are talking about (2) different types of VPNs.  SSL VPN is not just an IPSec VPN running over port 443, it's an "SSL VPN", made to work USUALLY with no client installed.

If this is a Cisco situation, you could enable IPSec client based VPN, and you could change the default PORT that it happens on, but it would STILL be an IPSec VPN, albeit over different ports.  Changing it to port 443 would disrupt either one or the other of the VPNs, possibly both.

Try getting IPSec VPN to be approved, and I can forward a very easy to implement IPSec client based VPN from Cisco.  Is this a Cisco VPN?
0
 
Methodman85Author Commented:
Yes it's a Cisco VPN. It would take months to get IPSEC VPN approved.
So is there no way to change the firewall at my branch site to communicate it's IPSEC communications over port 443 instead of the default ports, and then have the users at the parent site connect to it on 443?

You're saying that doing something like this will most certainly disrupt the users who are already using the purely SSL VPN connection via the Cisco Anyconnect Client?
0
 
jkeegan123Commented:
If it's on the same edge device, most likely yes.
0
 
jkeegan123Commented:
If it's on the same edge device, most likely yes.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now