Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

IPSEC over SSL on Cisco ASA

Posted on 2011-05-02
8
Medium Priority
?
1,067 Views
Last Modified: 2012-08-14
Hello,

I need to get IPSEC VPN connections working over Port 443. Can someone help me set this up on an ASA Firewall?
0
Comment
Question by:Methodman85
  • 4
  • 3
8 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 35505819
You Cant,  IPSEC uses ISAKMP (UDP500) and ESP (TCP50) the are do different VPN methods all together? what is the problem you are trying to solve?
0
 
LVL 1

Author Comment

by:Methodman85
ID: 35506063
The problem I have is that our Parent company does not allow IPsec connections from their network. We have services people who need to connect to customer sites. If they can initiate these IPSEC VPN connections over port 443 which is allowed, instead of the standard IPSEC ports, then things would be great.


Something like this wouldn't work?


Example 16-29. IPSec over TCP Configuration
Chicago(config)# isakmp ipsec-over-tcp port 10000


To verify whether the VPN clients are using IPSec over TCP, you can use the show crypto ipsec sa | include settings command, as demonstrated in Example 16-30. The "in use settings" option indicates that the particular VPN connection is a remote-access tunnel using TCP encapsulation.

Example 16-30. Verifying VPN Client Use of IPSec over TCP
Chicago(config)# show crypto ipsec sa | include settings

         in use settings ={RA, Tunnel,    TCP-Encaps, }

         in use settings ={RA, Tunnel,    TCP-Encaps, }

0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 35506120
Are you trying to VPN to a site, or are you trying to have a site VPN to you?  Is sounds like you want to enable "SSL VPN" on the device, which is supported in all ASAs, even the 10 user ASA supports (2) concurrent SSL VPNs.

More details please.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
LVL 1

Author Comment

by:Methodman85
ID: 35506411
We have employees at a parent site, who need to connect to our branch site. We currently have 25 concurrent SSL connections, which allows users from the parent site, and road users to connect to our branch site. We constantly reach that 25 SSL limit, and we are not permitted to purchase more licenses, since we have unlimited concurrent IPsec connections, and Initiating IPSEC connections from the parent site is not permitted, I would like to have the IPsec connections initiated from the parent through 443 instead of the standard IPsec ports.

A site to site VPN between these 2 sites is not permitted, so I must get this done via a client to site scenario.

Does this make more sense?
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 2000 total points
ID: 35506444
It does, yes....and unfortunately, you are talking about (2) different types of VPNs.  SSL VPN is not just an IPSec VPN running over port 443, it's an "SSL VPN", made to work USUALLY with no client installed.

If this is a Cisco situation, you could enable IPSec client based VPN, and you could change the default PORT that it happens on, but it would STILL be an IPSec VPN, albeit over different ports.  Changing it to port 443 would disrupt either one or the other of the VPNs, possibly both.

Try getting IPSec VPN to be approved, and I can forward a very easy to implement IPSec client based VPN from Cisco.  Is this a Cisco VPN?
0
 
LVL 1

Author Comment

by:Methodman85
ID: 35506516
Yes it's a Cisco VPN. It would take months to get IPSEC VPN approved.
So is there no way to change the firewall at my branch site to communicate it's IPSEC communications over port 443 instead of the default ports, and then have the users at the parent site connect to it on 443?

You're saying that doing something like this will most certainly disrupt the users who are already using the purely SSL VPN connection via the Cisco Anyconnect Client?
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 35506553
If it's on the same edge device, most likely yes.
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 35506577
If it's on the same edge device, most likely yes.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question