[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

ASA VPN

Posted on 2012-03-27
28
Medium Priority
?
413 Views
Last Modified: 2012-08-16
Hello,

I would like to use the Cisco VPN client on my laptop, when I'm away from home or work, to be able to VPN into the corporate network hitting the ASA to access my ISA2006.

Simple? I'm not sure any more.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

Could some one please help?

I have some config in place on the ASA by which I can connect to it. But, that's it. What configs am I missing to finish this puzzle?

Thanks in advance.
0
Comment
Question by:netcmh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
  • 4
28 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37773152
So the VPN is terminated on the ASA?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37773158
If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953
0
 
LVL 21

Author Comment

by:netcmh
ID: 37773258
Yes, the VPN terminates on the ASA
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 21

Author Comment

by:netcmh
ID: 37773267
Keith, I can only configure the ASA but not the ISA.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37773566
But, apparently from my ISA guys, it should just work :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37773582
Far be it for me to counter your 'ISA guys'.  Heck, what do I know about it?  :)
0
 
LVL 21

Author Comment

by:netcmh
ID: 37776676
Didn't mean to offend you, Keith. Just saying that they said that if I had the ASA configured right, the VPN connection would then allow me access to the ISA.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778636
But, apparently from my ISA guys, it should just work :)

No,...it would not,...and would never be expected to.   You need some new "ISA guys".

You are doing it the most complex way it can be done.  Instead,...ISA was designed and intended to replace the ASA with itself and to BE the Firewall and to BE the VPN Server so that the VPN terminates on the ISA.

There is potentially a lot of work to get any of it to work no matter how you do it.  It needs to be determined how it should really be done and what the best way to do it is,...before we invest much effort into this one...
0
 
LVL 21

Author Comment

by:netcmh
ID: 37778666
The ISA is the VPN termination point for all regular users. But, sometimes the ISA stops functioning and refuses VPN connections. It's for this purpose that I would like to use the ASA to vpn into the network and from there jump into the ISA via rdp or vnc or something to troubleshoot it.

I hope that helps determining the reason.

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778737
There are some problems with that. The ISA is not going to accept RDP Connections on the External Interface.  Publishing RDP is a problem because the Publishing Rule can't listen for RDP attempts when the RDP Service on the ISA is already running on the same Socket.

You might try a simple Access Rule of:
(Yes, and Access Rule, not a Publishing Rule):

From: External
To: LocalHost
Protocol: RDP (not RDP Server)
Users: <a user set with specific users>

I'm not entirely sure the authentication will work properly when using a User Set in this situation.  If it doesn't then it would have to be Anonymous.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37778752
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778780
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?

That doesn't make any difference.  
"DMZ" as terminology goes doesn't really mean anything,...it is more a "marketing" concept.   An Interface is just an Interface and an IP Segment is just an IP Segment.

If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953


That is not the same situation you are describing here in this thread.  The goals are not really the same.  That is why I was very careful in how I stated/asked things above in my earlier comments.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37778792
ok, then I'm out of ideas. How would you approach the situation? Please don't say remove the ASA :)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778820
I'll try not to,...but it is very very hard.

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778881
You could put the ISA and the ASA "side-by-side",...each with it's own Public IP (External) and Private IP (Internal).  Then each product could be used independently for whatever you wanted to use them for and they would never get in each other's way.    

There!,....I got the ASA out of the way without telling you to get rid of it!  :-)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37778891
That is actually what I do at our place. I have 8 firewalls with 4 different connections out to the Internet,...every device does its job independently of the others and none of them get in any of the other's way.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779245
lol - didn't offend me :)  was quite happy to listen and learn. I like to believe I am reasonably good with ISA & TMG but would not be crass enough to say I know everything - we all keep learning.

I think it is the same as the other question - the only difference being that the ISA system policy would nbeed to be edited of course to allow RDP traffic to the ISA itself for remote management.

Again, will wait to see how this pans out - no point in suggesting alternate approaches concurrently.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37781445
Actually, I'm open to any and all ideas to reach my goal.

The way it's setup isn't going to change anytime soon.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

The ISA some times becomes inaccessible for vpn connections and a reboot is the easiest way to resolve it (until we get a decent alternative to either the server or the admin :) )

I would like a way to leverage the ASA to some how get access to the ISA to either do some troubleshooting or to bounce it.

Thanks for your patience with me.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37781766
Ok,...well it is like I said a couple comments back,....copy/pasted below:

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37781787
do you mean: 37778737 ?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37781837
37778737, yes,...assuming as I said,...that RDP to the ISA itself is the only thing you are trying to do,...otherwise you are looking at that other thread you mentioned.   And if my suggestion won't work then you may be looking at that other thread anyway.
0
 
LVL 21

Author Comment

by:netcmh
ID: 37851842
I'm not having any luck getting this to work. I think a rule is in place that prevents me from getting rdp access to the ISA. Any other ideas?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37853348
You could try RDP Server instead of the regular RDP as the Protocol.   I thought it would be the regular Protocol, but maybe I was wrong.  If flipping that does not work then I have no idea.

From: External
To: LocalHost
Protocol: RDP Server
Users: <a user set with specific users>
0
 
LVL 21

Author Comment

by:netcmh
ID: 37855436
Yup, tried that.
0
 
LVL 21

Author Comment

by:netcmh
ID: 38222616
Anyone? Please help. Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 38222788
Put the ISA and the ASA side-by-side instead of one in front of the other so that they operate independently (no DMZ).

Run the VPN with the ASA

RDP to the ISA by targeting the Internal IP of the ISA.

If you can RDP to the ISA from the LAN then it will work because you would be hitting it from the LAN in that case.

Otherwise just forget the RDP and use somerthing else (Logmein, TeamViewer, UltaVNC, whatever)
0
 
LVL 21

Author Comment

by:netcmh
ID: 38224623
@pwindell
Thanks again, but I can't change the architecture. Only rules.

Other software is also out of the question.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 38224685
Thanks again, but I can't change the architecture. Only rules.

And what if the Rules aren't enough??  Rules are just Rules,...Rules only say "yes" or "no",...it is the architecture that actually makes everything happen.

Then you are saying that you cannot (or not allowed) to do your job.   So the solution is that person who is allowed to change the architecture has to do it (or give you permission to do it).  

The structure at our place has changed over several times in the years I have been here.  The architecture is supposed to change and adjust to fit your needs,...it is supposed to serve you,....not you serve the architecture.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question