ASA VPN

Hello,

I would like to use the Cisco VPN client on my laptop, when I'm away from home or work, to be able to VPN into the corporate network hitting the ASA to access my ISA2006.

Simple? I'm not sure any more.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

Could some one please help?

I have some config in place on the ASA by which I can connect to it. But, that's it. What configs am I missing to finish this puzzle?

Thanks in advance.
LVL 21
netcmhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
So the VPN is terminated on the ASA?
0
Keith AlabasterEnterprise ArchitectCommented:
If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953
0
netcmhAuthor Commented:
Yes, the VPN terminates on the ASA
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

netcmhAuthor Commented:
Keith, I can only configure the ASA but not the ISA.
0
netcmhAuthor Commented:
But, apparently from my ISA guys, it should just work :)
0
Keith AlabasterEnterprise ArchitectCommented:
Far be it for me to counter your 'ISA guys'.  Heck, what do I know about it?  :)
0
netcmhAuthor Commented:
Didn't mean to offend you, Keith. Just saying that they said that if I had the ASA configured right, the VPN connection would then allow me access to the ISA.
0
pwindellCommented:
But, apparently from my ISA guys, it should just work :)

No,...it would not,...and would never be expected to.   You need some new "ISA guys".

You are doing it the most complex way it can be done.  Instead,...ISA was designed and intended to replace the ASA with itself and to BE the Firewall and to BE the VPN Server so that the VPN terminates on the ISA.

There is potentially a lot of work to get any of it to work no matter how you do it.  It needs to be determined how it should really be done and what the best way to do it is,...before we invest much effort into this one...
0
netcmhAuthor Commented:
The ISA is the VPN termination point for all regular users. But, sometimes the ISA stops functioning and refuses VPN connections. It's for this purpose that I would like to use the ASA to vpn into the network and from there jump into the ISA via rdp or vnc or something to troubleshoot it.

I hope that helps determining the reason.

Thanks
0
pwindellCommented:
There are some problems with that. The ISA is not going to accept RDP Connections on the External Interface.  Publishing RDP is a problem because the Publishing Rule can't listen for RDP attempts when the RDP Service on the ISA is already running on the same Socket.

You might try a simple Access Rule of:
(Yes, and Access Rule, not a Publishing Rule):

From: External
To: LocalHost
Protocol: RDP (not RDP Server)
Users: <a user set with specific users>

I'm not entirely sure the authentication will work properly when using a User Set in this situation.  If it doesn't then it would have to be Anonymous.
0
netcmhAuthor Commented:
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?
0
pwindellCommented:
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?

That doesn't make any difference.  
"DMZ" as terminology goes doesn't really mean anything,...it is more a "marketing" concept.   An Interface is just an Interface and an IP Segment is just an IP Segment.

If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953


That is not the same situation you are describing here in this thread.  The goals are not really the same.  That is why I was very careful in how I stated/asked things above in my earlier comments.
0
netcmhAuthor Commented:
ok, then I'm out of ideas. How would you approach the situation? Please don't say remove the ASA :)
0
pwindellCommented:
I'll try not to,...but it is very very hard.

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
pwindellCommented:
You could put the ISA and the ASA "side-by-side",...each with it's own Public IP (External) and Private IP (Internal).  Then each product could be used independently for whatever you wanted to use them for and they would never get in each other's way.    

There!,....I got the ASA out of the way without telling you to get rid of it!  :-)
0
pwindellCommented:
That is actually what I do at our place. I have 8 firewalls with 4 different connections out to the Internet,...every device does its job independently of the others and none of them get in any of the other's way.
0
Keith AlabasterEnterprise ArchitectCommented:
lol - didn't offend me :)  was quite happy to listen and learn. I like to believe I am reasonably good with ISA & TMG but would not be crass enough to say I know everything - we all keep learning.

I think it is the same as the other question - the only difference being that the ISA system policy would nbeed to be edited of course to allow RDP traffic to the ISA itself for remote management.

Again, will wait to see how this pans out - no point in suggesting alternate approaches concurrently.
0
netcmhAuthor Commented:
Actually, I'm open to any and all ideas to reach my goal.

The way it's setup isn't going to change anytime soon.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

The ISA some times becomes inaccessible for vpn connections and a reboot is the easiest way to resolve it (until we get a decent alternative to either the server or the admin :) )

I would like a way to leverage the ASA to some how get access to the ISA to either do some troubleshooting or to bounce it.

Thanks for your patience with me.
0
pwindellCommented:
Ok,...well it is like I said a couple comments back,....copy/pasted below:

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
netcmhAuthor Commented:
do you mean: 37778737 ?
0
pwindellCommented:
37778737, yes,...assuming as I said,...that RDP to the ISA itself is the only thing you are trying to do,...otherwise you are looking at that other thread you mentioned.   And if my suggestion won't work then you may be looking at that other thread anyway.
0
netcmhAuthor Commented:
I'm not having any luck getting this to work. I think a rule is in place that prevents me from getting rdp access to the ISA. Any other ideas?
0
pwindellCommented:
You could try RDP Server instead of the regular RDP as the Protocol.   I thought it would be the regular Protocol, but maybe I was wrong.  If flipping that does not work then I have no idea.

From: External
To: LocalHost
Protocol: RDP Server
Users: <a user set with specific users>
0
netcmhAuthor Commented:
Yup, tried that.
0
netcmhAuthor Commented:
Anyone? Please help. Thanks
0
pwindellCommented:
Put the ISA and the ASA side-by-side instead of one in front of the other so that they operate independently (no DMZ).

Run the VPN with the ASA

RDP to the ISA by targeting the Internal IP of the ISA.

If you can RDP to the ISA from the LAN then it will work because you would be hitting it from the LAN in that case.

Otherwise just forget the RDP and use somerthing else (Logmein, TeamViewer, UltaVNC, whatever)
0
netcmhAuthor Commented:
@pwindell
Thanks again, but I can't change the architecture. Only rules.

Other software is also out of the question.
0
pwindellCommented:
Thanks again, but I can't change the architecture. Only rules.

And what if the Rules aren't enough??  Rules are just Rules,...Rules only say "yes" or "no",...it is the architecture that actually makes everything happen.

Then you are saying that you cannot (or not allowed) to do your job.   So the solution is that person who is allowed to change the architecture has to do it (or give you permission to do it).  

The structure at our place has changed over several times in the years I have been here.  The architecture is supposed to change and adjust to fit your needs,...it is supposed to serve you,....not you serve the architecture.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.