Solved

setup vpn in ASA 5505

Posted on 2014-04-09
12
552 Views
Last Modified: 2014-04-30
We have a hosted server with a new provider and we also opted for a firewall which is a Cisco ASA 5505. It turns out that they do not provide assistance with the firewall, so I have come here!

The server hosts multiple customer websites, along with both MySQL and SQL Server databases.

I would like to provide customers with the ability to connect to their databases remotely, for which I assume we need to create a VPN to allow them access through the firewall. Also, I would want them to be able to use the standard Windows connection tool(s).

Unfortunately, I know very little about this so I am looking for idiot-proof help ;-)

First of all, is this a safe thing to do - can I control what they can access on the server end? i.e. database access only.

What type of VPN do I need? I looked at one of the wizards and stopped at the point when it started talking about IP addresses ... what range should I / can I use? How does that relate to our server setup, or doesn't it?

I don't know what else to ask ... hopefully someone can guide me in the right direction!
0
Comment
Question by:ascendinternet
  • 6
  • 5
12 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 39988279
Hi,
assuming you're not an expert in this matter, i believe you can only have general architecture and planning advice, while you'll need to ask for an expert on site to do the implementation.
Well, taking it simple, i see 3 possible solution for you:

1) Only one firewall on your head office and vpn client software for your customers:
you will need to implement a remote access vpn on your ASA5505 and yes, surely you can set access-lists to provide access only to the ports of the server they need to work onto. You will have to communicate your customers the right credentials to connect, which you will decide and manage.

2) You can ask your customers where from they connect (their fixed IP address, if they have it) and configure your ASA5505 accordingly by setting access-lists which allow only those IP addresses to connect.

3) Implement a Site-to-site VPN with each of your customers, but they need to have a central device to terminate vpn on each of their site.

without knowing any other details from your situation, i'd bet that your optimal solution is the first i mentioned, which is easily scalable and flexible and secure.
Unless you have specific requisites that one will be good for you

hope this helps
max
0
 

Author Comment

by:ascendinternet
ID: 39988299
Your first assumption is most definitely correct - I am NOT an expert with firewalls!

Your second assumption is also (pretty much) correct, option 1 sounds like what we need.

The firewall and server behind it are hosted for us somewhere remotely. We have Remote Desktop access but that is not something we can give our customers.

With our previous supplier, they configured a VPN connection that we, and client to whom we gave the connection details, could use to get through the firewall and connect to MySQL and SQL Server databases using client tools on our / their local computers. That is what we need to reproduce.

Is this something beyond the capability of a no-Cisco trained individual, or is it possible with the right assistance? (I am a software developer)
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 39988310
Hi,
i'd suggest to ask a cisco-trained individual. You may do a training-on-the-job with her so that you can learn how to manage it after the implementation.
This way you'll be sure to have a correct implementation (which may take half or a full day job), and then you can manage this stuff afterwards on your own, provided you're willing to learn that technology.

max
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39990939
Although I agree with Max that you should get some training on the subect if you are to support the solution, we can however provide you with a configuration example which you can work out from.

So to tell you what type of VPN you need to implement we would need more information about how the users will be connecting to your network.  is it another office that is connecting to your network, or will it be the emloyees that are connecting from their homes, hotels..etc. (aka remote access VPN)

Now if you want to implement remote access VPN you need to decide if you want to implement IPsec VPN or AnyConnect.  For IPsec you do not require to purchase any licenses but depending on if you have the base license or security plus license you are limited to 25 IPsec VPN connections. You are also required to install the Cisco VPN client on the computers of all that require access.  

As for AnyConnect you need to purchase a license and download and install the AnyConnect software on the ASA. Also, you will be limited to 25 VPN connections depending on license.  The VPN client can be downloaded to the client machine when initially connecting via a web browser.

The difference between the two, aside from licensing, are the ports being used.  IPsec uses port 500 and 4500 while AnyConnect uses SSL port 443..by default.  Also AnyConnect is the direction Cisco is going with their remote access VPNs, eventhough the IPsec is still supported.

First of all, is this a safe thing to do - can I control what they can access on the server end? i.e. database access only.
Yes, you can specify in an ACL which is specific for the VPN tunnel what the VPN connections cann access.  It is a very common thing to do, however, depending on the type of access you are granting to the SQL server the users might be able to gain access to the rest of the network, depending on how IT savey they are.

I looked at one of the wizards and stopped at the point when it started talking about IP addresses ... what range should I / can I use?
For remote acces VPN you can use any IP wthin the private IP address range, but it is recommended to use an IP that is not already in use in your network.  For site to site you would only be encrypting your existing networks so you would only be defining what traffic to encrypt and not what IPs to assign.
0
 

Author Comment

by:ascendinternet
ID: 40019540
We have the Base licence. We would want to use IPsec VPN, not AnyConnect. Does that require Cisco specific software, or will the built-in Windows / Mac software work?

It is for clients (remote users) to gain access to their databases on the server. They must not be able to access the local / network disks, or be able to log onto the server - just connect to their database(s).
0
 

Author Comment

by:ascendinternet
ID: 40019545
Also, on a similar but different subject - we need to enable FTP access in "passive" mode. At the moment, only "active" mode works.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 15

Expert Comment

by:max_the_king
ID: 40019551
Hi,
base license for remote access will be fine as long as you do not want anyconnect.
The ftp mode in ASA is Passive.

max
0
 

Author Comment

by:ascendinternet
ID: 40019575
No, I do not want to use AnyConnect - or require our clients to use it.

A couple of our clients have had trouble connecting via FTP because the default is passive mode. I don't have the error to hand but it basically fails to connect. I have used CuteFTP and that automatically switches to active (PORT?) mode and then manages to connect.

I did have to add a rule to open port 21.
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 40019605
port 21 is default ftp port, you must open it on the ASA if you want to access that port.

Passive mode is default mode for ASA, so you'd probably did change settings on clients

max
0
 

Author Comment

by:ascendinternet
ID: 40019651
Port 21 is open ... but passive mode doesn't work. It seems to login OK, says it is entering passive mode, "about to open data connection" ... then I get "connection timed out".
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40031828
Hi,
try this:


Issue the policy-map global_policy command.

    ASA(config)#policy-map global_policy

Issue the class inspection_default command.

    ASA(config-pmap)#class inspection_default

Issue the inspect FTP command.

    ASA(config-pmap-c)#inspect FTP


here is the link with full explanation:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113110-asa-enable-ftp-00.html

hope this helps
max
0
 

Author Comment

by:ascendinternet
ID: 40031913
Thanks for the commands - and the link to the page, which was very helpful in explaining it all.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now