Solved

setup vpn in ASA 5505

Posted on 2014-04-09
12
561 Views
Last Modified: 2014-04-30
We have a hosted server with a new provider and we also opted for a firewall which is a Cisco ASA 5505. It turns out that they do not provide assistance with the firewall, so I have come here!

The server hosts multiple customer websites, along with both MySQL and SQL Server databases.

I would like to provide customers with the ability to connect to their databases remotely, for which I assume we need to create a VPN to allow them access through the firewall. Also, I would want them to be able to use the standard Windows connection tool(s).

Unfortunately, I know very little about this so I am looking for idiot-proof help ;-)

First of all, is this a safe thing to do - can I control what they can access on the server end? i.e. database access only.

What type of VPN do I need? I looked at one of the wizards and stopped at the point when it started talking about IP addresses ... what range should I / can I use? How does that relate to our server setup, or doesn't it?

I don't know what else to ask ... hopefully someone can guide me in the right direction!
0
Comment
Question by:ascendinternet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 39988279
Hi,
assuming you're not an expert in this matter, i believe you can only have general architecture and planning advice, while you'll need to ask for an expert on site to do the implementation.
Well, taking it simple, i see 3 possible solution for you:

1) Only one firewall on your head office and vpn client software for your customers:
you will need to implement a remote access vpn on your ASA5505 and yes, surely you can set access-lists to provide access only to the ports of the server they need to work onto. You will have to communicate your customers the right credentials to connect, which you will decide and manage.

2) You can ask your customers where from they connect (their fixed IP address, if they have it) and configure your ASA5505 accordingly by setting access-lists which allow only those IP addresses to connect.

3) Implement a Site-to-site VPN with each of your customers, but they need to have a central device to terminate vpn on each of their site.

without knowing any other details from your situation, i'd bet that your optimal solution is the first i mentioned, which is easily scalable and flexible and secure.
Unless you have specific requisites that one will be good for you

hope this helps
max
0
 

Author Comment

by:ascendinternet
ID: 39988299
Your first assumption is most definitely correct - I am NOT an expert with firewalls!

Your second assumption is also (pretty much) correct, option 1 sounds like what we need.

The firewall and server behind it are hosted for us somewhere remotely. We have Remote Desktop access but that is not something we can give our customers.

With our previous supplier, they configured a VPN connection that we, and client to whom we gave the connection details, could use to get through the firewall and connect to MySQL and SQL Server databases using client tools on our / their local computers. That is what we need to reproduce.

Is this something beyond the capability of a no-Cisco trained individual, or is it possible with the right assistance? (I am a software developer)
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 39988310
Hi,
i'd suggest to ask a cisco-trained individual. You may do a training-on-the-job with her so that you can learn how to manage it after the implementation.
This way you'll be sure to have a correct implementation (which may take half or a full day job), and then you can manage this stuff afterwards on your own, provided you're willing to learn that technology.

max
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 17

Expert Comment

by:MAG03
ID: 39990939
Although I agree with Max that you should get some training on the subect if you are to support the solution, we can however provide you with a configuration example which you can work out from.

So to tell you what type of VPN you need to implement we would need more information about how the users will be connecting to your network.  is it another office that is connecting to your network, or will it be the emloyees that are connecting from their homes, hotels..etc. (aka remote access VPN)

Now if you want to implement remote access VPN you need to decide if you want to implement IPsec VPN or AnyConnect.  For IPsec you do not require to purchase any licenses but depending on if you have the base license or security plus license you are limited to 25 IPsec VPN connections. You are also required to install the Cisco VPN client on the computers of all that require access.  

As for AnyConnect you need to purchase a license and download and install the AnyConnect software on the ASA. Also, you will be limited to 25 VPN connections depending on license.  The VPN client can be downloaded to the client machine when initially connecting via a web browser.

The difference between the two, aside from licensing, are the ports being used.  IPsec uses port 500 and 4500 while AnyConnect uses SSL port 443..by default.  Also AnyConnect is the direction Cisco is going with their remote access VPNs, eventhough the IPsec is still supported.

First of all, is this a safe thing to do - can I control what they can access on the server end? i.e. database access only.
Yes, you can specify in an ACL which is specific for the VPN tunnel what the VPN connections cann access.  It is a very common thing to do, however, depending on the type of access you are granting to the SQL server the users might be able to gain access to the rest of the network, depending on how IT savey they are.

I looked at one of the wizards and stopped at the point when it started talking about IP addresses ... what range should I / can I use?
For remote acces VPN you can use any IP wthin the private IP address range, but it is recommended to use an IP that is not already in use in your network.  For site to site you would only be encrypting your existing networks so you would only be defining what traffic to encrypt and not what IPs to assign.
0
 

Author Comment

by:ascendinternet
ID: 40019540
We have the Base licence. We would want to use IPsec VPN, not AnyConnect. Does that require Cisco specific software, or will the built-in Windows / Mac software work?

It is for clients (remote users) to gain access to their databases on the server. They must not be able to access the local / network disks, or be able to log onto the server - just connect to their database(s).
0
 

Author Comment

by:ascendinternet
ID: 40019545
Also, on a similar but different subject - we need to enable FTP access in "passive" mode. At the moment, only "active" mode works.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 40019551
Hi,
base license for remote access will be fine as long as you do not want anyconnect.
The ftp mode in ASA is Passive.

max
0
 

Author Comment

by:ascendinternet
ID: 40019575
No, I do not want to use AnyConnect - or require our clients to use it.

A couple of our clients have had trouble connecting via FTP because the default is passive mode. I don't have the error to hand but it basically fails to connect. I have used CuteFTP and that automatically switches to active (PORT?) mode and then manages to connect.

I did have to add a rule to open port 21.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 40019605
port 21 is default ftp port, you must open it on the ASA if you want to access that port.

Passive mode is default mode for ASA, so you'd probably did change settings on clients

max
0
 

Author Comment

by:ascendinternet
ID: 40019651
Port 21 is open ... but passive mode doesn't work. It seems to login OK, says it is entering passive mode, "about to open data connection" ... then I get "connection timed out".
0
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40031828
Hi,
try this:


Issue the policy-map global_policy command.

    ASA(config)#policy-map global_policy

Issue the class inspection_default command.

    ASA(config-pmap)#class inspection_default

Issue the inspect FTP command.

    ASA(config-pmap-c)#inspect FTP


here is the link with full explanation:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113110-asa-enable-ftp-00.html

hope this helps
max
0
 

Author Comment

by:ascendinternet
ID: 40031913
Thanks for the commands - and the link to the page, which was very helpful in explaining it all.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Let’s list some of the technologies that enable smooth teleworking. 
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question