[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

ASA VPN

Hello,

I would like to use the Cisco VPN client on my laptop, when I'm away from home or work, to be able to VPN into the corporate network hitting the ASA to access my ISA2006.

Simple? I'm not sure any more.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

Could some one please help?

I have some config in place on the ASA by which I can connect to it. But, that's it. What configs am I missing to finish this puzzle?

Thanks in advance.
0
netcmh
Asked:
netcmh
  • 13
  • 11
  • 4
1 Solution
 
Keith AlabasterCommented:
So the VPN is terminated on the ASA?
0
 
Keith AlabasterCommented:
If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953
0
 
netcmhAuthor Commented:
Yes, the VPN terminates on the ASA
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
netcmhAuthor Commented:
Keith, I can only configure the ASA but not the ISA.
0
 
netcmhAuthor Commented:
But, apparently from my ISA guys, it should just work :)
0
 
Keith AlabasterCommented:
Far be it for me to counter your 'ISA guys'.  Heck, what do I know about it?  :)
0
 
netcmhAuthor Commented:
Didn't mean to offend you, Keith. Just saying that they said that if I had the ASA configured right, the VPN connection would then allow me access to the ISA.
0
 
pwindellCommented:
But, apparently from my ISA guys, it should just work :)

No,...it would not,...and would never be expected to.   You need some new "ISA guys".

You are doing it the most complex way it can be done.  Instead,...ISA was designed and intended to replace the ASA with itself and to BE the Firewall and to BE the VPN Server so that the VPN terminates on the ISA.

There is potentially a lot of work to get any of it to work no matter how you do it.  It needs to be determined how it should really be done and what the best way to do it is,...before we invest much effort into this one...
0
 
netcmhAuthor Commented:
The ISA is the VPN termination point for all regular users. But, sometimes the ISA stops functioning and refuses VPN connections. It's for this purpose that I would like to use the ASA to vpn into the network and from there jump into the ISA via rdp or vnc or something to troubleshoot it.

I hope that helps determining the reason.

Thanks
0
 
pwindellCommented:
There are some problems with that. The ISA is not going to accept RDP Connections on the External Interface.  Publishing RDP is a problem because the Publishing Rule can't listen for RDP attempts when the RDP Service on the ISA is already running on the same Socket.

You might try a simple Access Rule of:
(Yes, and Access Rule, not a Publishing Rule):

From: External
To: LocalHost
Protocol: RDP (not RDP Server)
Users: <a user set with specific users>

I'm not entirely sure the authentication will work properly when using a User Set in this situation.  If it doesn't then it would have to be Anonymous.
0
 
netcmhAuthor Commented:
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?
0
 
pwindellCommented:
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?

That doesn't make any difference.  
"DMZ" as terminology goes doesn't really mean anything,...it is more a "marketing" concept.   An Interface is just an Interface and an IP Segment is just an IP Segment.

If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953


That is not the same situation you are describing here in this thread.  The goals are not really the same.  That is why I was very careful in how I stated/asked things above in my earlier comments.
0
 
netcmhAuthor Commented:
ok, then I'm out of ideas. How would you approach the situation? Please don't say remove the ASA :)
0
 
pwindellCommented:
I'll try not to,...but it is very very hard.

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
 
pwindellCommented:
You could put the ISA and the ASA "side-by-side",...each with it's own Public IP (External) and Private IP (Internal).  Then each product could be used independently for whatever you wanted to use them for and they would never get in each other's way.    

There!,....I got the ASA out of the way without telling you to get rid of it!  :-)
0
 
pwindellCommented:
That is actually what I do at our place. I have 8 firewalls with 4 different connections out to the Internet,...every device does its job independently of the others and none of them get in any of the other's way.
0
 
Keith AlabasterCommented:
lol - didn't offend me :)  was quite happy to listen and learn. I like to believe I am reasonably good with ISA & TMG but would not be crass enough to say I know everything - we all keep learning.

I think it is the same as the other question - the only difference being that the ISA system policy would nbeed to be edited of course to allow RDP traffic to the ISA itself for remote management.

Again, will wait to see how this pans out - no point in suggesting alternate approaches concurrently.
0
 
netcmhAuthor Commented:
Actually, I'm open to any and all ideas to reach my goal.

The way it's setup isn't going to change anytime soon.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

The ISA some times becomes inaccessible for vpn connections and a reboot is the easiest way to resolve it (until we get a decent alternative to either the server or the admin :) )

I would like a way to leverage the ASA to some how get access to the ISA to either do some troubleshooting or to bounce it.

Thanks for your patience with me.
0
 
pwindellCommented:
Ok,...well it is like I said a couple comments back,....copy/pasted below:

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
 
netcmhAuthor Commented:
do you mean: 37778737 ?
0
 
pwindellCommented:
37778737, yes,...assuming as I said,...that RDP to the ISA itself is the only thing you are trying to do,...otherwise you are looking at that other thread you mentioned.   And if my suggestion won't work then you may be looking at that other thread anyway.
0
 
netcmhAuthor Commented:
I'm not having any luck getting this to work. I think a rule is in place that prevents me from getting rdp access to the ISA. Any other ideas?
0
 
pwindellCommented:
You could try RDP Server instead of the regular RDP as the Protocol.   I thought it would be the regular Protocol, but maybe I was wrong.  If flipping that does not work then I have no idea.

From: External
To: LocalHost
Protocol: RDP Server
Users: <a user set with specific users>
0
 
netcmhAuthor Commented:
Yup, tried that.
0
 
netcmhAuthor Commented:
Anyone? Please help. Thanks
0
 
pwindellCommented:
Put the ISA and the ASA side-by-side instead of one in front of the other so that they operate independently (no DMZ).

Run the VPN with the ASA

RDP to the ISA by targeting the Internal IP of the ISA.

If you can RDP to the ISA from the LAN then it will work because you would be hitting it from the LAN in that case.

Otherwise just forget the RDP and use somerthing else (Logmein, TeamViewer, UltaVNC, whatever)
0
 
netcmhAuthor Commented:
@pwindell
Thanks again, but I can't change the architecture. Only rules.

Other software is also out of the question.
0
 
pwindellCommented:
Thanks again, but I can't change the architecture. Only rules.

And what if the Rules aren't enough??  Rules are just Rules,...Rules only say "yes" or "no",...it is the architecture that actually makes everything happen.

Then you are saying that you cannot (or not allowed) to do your job.   So the solution is that person who is allowed to change the architecture has to do it (or give you permission to do it).  

The structure at our place has changed over several times in the years I have been here.  The architecture is supposed to change and adjust to fit your needs,...it is supposed to serve you,....not you serve the architecture.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 13
  • 11
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now