Solved

ASA VPN

Posted on 2012-03-27
28
403 Views
Last Modified: 2012-08-16
Hello,

I would like to use the Cisco VPN client on my laptop, when I'm away from home or work, to be able to VPN into the corporate network hitting the ASA to access my ISA2006.

Simple? I'm not sure any more.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

Could some one please help?

I have some config in place on the ASA by which I can connect to it. But, that's it. What configs am I missing to finish this puzzle?

Thanks in advance.
0
Comment
Question by:netcmh
  • 13
  • 11
  • 4
28 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
So the VPN is terminated on the ASA?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Yes, the VPN terminates on the ASA
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Keith, I can only configure the ASA but not the ISA.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
But, apparently from my ISA guys, it should just work :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Far be it for me to counter your 'ISA guys'.  Heck, what do I know about it?  :)
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Didn't mean to offend you, Keith. Just saying that they said that if I had the ASA configured right, the VPN connection would then allow me access to the ISA.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
But, apparently from my ISA guys, it should just work :)

No,...it would not,...and would never be expected to.   You need some new "ISA guys".

You are doing it the most complex way it can be done.  Instead,...ISA was designed and intended to replace the ASA with itself and to BE the Firewall and to BE the VPN Server so that the VPN terminates on the ISA.

There is potentially a lot of work to get any of it to work no matter how you do it.  It needs to be determined how it should really be done and what the best way to do it is,...before we invest much effort into this one...
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
The ISA is the VPN termination point for all regular users. But, sometimes the ISA stops functioning and refuses VPN connections. It's for this purpose that I would like to use the ASA to vpn into the network and from there jump into the ISA via rdp or vnc or something to troubleshoot it.

I hope that helps determining the reason.

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
There are some problems with that. The ISA is not going to accept RDP Connections on the External Interface.  Publishing RDP is a problem because the Publishing Rule can't listen for RDP attempts when the RDP Service on the ISA is already running on the same Socket.

You might try a simple Access Rule of:
(Yes, and Access Rule, not a Publishing Rule):

From: External
To: LocalHost
Protocol: RDP (not RDP Server)
Users: <a user set with specific users>

I'm not entirely sure the authentication will work properly when using a User Set in this situation.  If it doesn't then it would have to be Anonymous.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I do have the DMZ interface on the ASA free. Would that at all factor in to a possible solution?

That doesn't make any difference.  
"DMZ" as terminology goes doesn't really mean anything,...it is more a "marketing" concept.   An Interface is just an Interface and an IP Segment is just an IP Segment.

If so, bizarrely, I am just finishing a question for someone else with the same query.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_27649231.html#a37770953


That is not the same situation you are describing here in this thread.  The goals are not really the same.  That is why I was very careful in how I stated/asked things above in my earlier comments.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
ok, then I'm out of ideas. How would you approach the situation? Please don't say remove the ASA :)
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I'll try not to,...but it is very very hard.

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
You could put the ISA and the ASA "side-by-side",...each with it's own Public IP (External) and Private IP (Internal).  Then each product could be used independently for whatever you wanted to use them for and they would never get in each other's way.    

There!,....I got the ASA out of the way without telling you to get rid of it!  :-)
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
That is actually what I do at our place. I have 8 firewalls with 4 different connections out to the Internet,...every device does its job independently of the others and none of them get in any of the other's way.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol - didn't offend me :)  was quite happy to listen and learn. I like to believe I am reasonably good with ISA & TMG but would not be crass enough to say I know everything - we all keep learning.

I think it is the same as the other question - the only difference being that the ISA system policy would nbeed to be edited of course to allow RDP traffic to the ISA itself for remote management.

Again, will wait to see how this pans out - no point in suggesting alternate approaches concurrently.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Actually, I'm open to any and all ideas to reach my goal.

The way it's setup isn't going to change anytime soon.

-=Internet=-----=ASA5510=-------=ISA2006=------=internal network

The ISA some times becomes inaccessible for vpn connections and a reboot is the easiest way to resolve it (until we get a decent alternative to either the server or the admin :) )

I would like a way to leverage the ASA to some how get access to the ISA to either do some troubleshooting or to bounce it.

Thanks for your patience with me.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Ok,...well it is like I said a couple comments back,....copy/pasted below:

If all you are wanting to do is RDP to only the ISA itself,..and you aren't using the VPN for any other purpose,...then what I already gave is the only solution I can think of.

If you want to contact other machines on the private LAN for "whatever" other reasons,..then things change entirely and you're looking at something like what is being discussed in that other thread.  However RDP to the ISA itself would not change and probably would still have to be done like I said.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
do you mean: 37778737 ?
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
37778737, yes,...assuming as I said,...that RDP to the ISA itself is the only thing you are trying to do,...otherwise you are looking at that other thread you mentioned.   And if my suggestion won't work then you may be looking at that other thread anyway.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
I'm not having any luck getting this to work. I think a rule is in place that prevents me from getting rdp access to the ISA. Any other ideas?
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
You could try RDP Server instead of the regular RDP as the Protocol.   I thought it would be the regular Protocol, but maybe I was wrong.  If flipping that does not work then I have no idea.

From: External
To: LocalHost
Protocol: RDP Server
Users: <a user set with specific users>
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Yup, tried that.
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
Anyone? Please help. Thanks
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Put the ISA and the ASA side-by-side instead of one in front of the other so that they operate independently (no DMZ).

Run the VPN with the ASA

RDP to the ISA by targeting the Internal IP of the ISA.

If you can RDP to the ISA from the LAN then it will work because you would be hitting it from the LAN in that case.

Otherwise just forget the RDP and use somerthing else (Logmein, TeamViewer, UltaVNC, whatever)
0
 
LVL 20

Author Comment

by:netcmh
Comment Utility
@pwindell
Thanks again, but I can't change the architecture. Only rules.

Other software is also out of the question.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
Thanks again, but I can't change the architecture. Only rules.

And what if the Rules aren't enough??  Rules are just Rules,...Rules only say "yes" or "no",...it is the architecture that actually makes everything happen.

Then you are saying that you cannot (or not allowed) to do your job.   So the solution is that person who is allowed to change the architecture has to do it (or give you permission to do it).  

The structure at our place has changed over several times in the years I have been here.  The architecture is supposed to change and adjust to fit your needs,...it is supposed to serve you,....not you serve the architecture.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now