Solved: HTTPs/SSL session terminations options - license costs - alternative ?

jlaay-diode · ‎03-15-2011

Hi all,

We are considering to connect our corporate network to the internet.

See attachment for, yes I know, rough design.

We want to admit only HTTPs connections or Citrix receiver/client connections.

One of the feature cost of a firewall is the number of SSL connections.

These SSL connections can terminate at the firewall (1) or at e.g. the Netscaler (2), im my opinion. Am I correct?

1. at the firewall: then I would need those licenses

2. at the netscaler, MS Exchange frontend etc, then I would not need SSL licenses for the firewall.

To have 2 as an option, then:

1. port redirection is not viable. Correct?

2. I need to use Identity NAT (NAT 0). Correct?

The down side of this, is the fact that I wil need public adresses for the servers/appliances.

How then will would I deal with the servers in DMZ_1 an DMZ_2 respectively 'cause they are in two subnets?

Or am I totally of ...

Any help appreciated.

Thanx

Jaap

Jennifer Halim · ‎03-16-2011

Port redirection essentially means passing traffic through the ASA, and you are just using the ASA outside ip address, since it will be a public ip address to PAT the traffic to your internal server. The VPN will still be terminated on your internal server, hence not using the ASA SSL VPN license.

If you are going to terminate the SSL VPN on your internal server, then all you need is to configure static PAT (Port Address Translation) for your internal server (since this is normally a private IP), to the ASA outside interface IP (public IP). If you have more public IP range assigned to you, then you can also use the spare public IP for NATing your internal server.

You will only use the ASA SSL VPN license if you actually configure the ASA to terminate the SSL VPN.

View solution in original post

Jennifer Halim · ‎03-15-2011

1. at the firewall: then I would need those licenses [YES]

2. at the netscaler, MS Exchange frontend etc, then I would not need SSL licenses for the firewall. [YES]

To have 2 as an option, then:

1. port redirection is not viable. Correct? [NO, you can use port redirection, unless if you have used that ASA outside ip address for redirecting HTTPS for something else. Alternatively, you can use a different port to terminate the SSL VPN connections and configure port redirection for that different port]

2. I need to use Identity NAT (NAT 0). Correct? [NO, you don't have to use identity NAT]

Hope that confirms and answers your questions.

jlaay-diode · ‎03-16-2011

Hi Jennifer,

Thanx for your reply, but I don't get it yet.

I thought that when you use port redirection the SSL/VPN session terminates on de outside interface of the firewall thereby using one of the SSL/VPN licenses of the firewall. That was the reason I was thinking to circumvente this bij using Identy NAT.

Could you explain where my mistake lies?

I do understand that you could change the TCP-portnumber for SSH if you want to use SSH to reach a service in another DMZ.

Thanx Jaap

Jennifer Halim · ‎03-16-2011

Port redirection essentially means passing traffic through the ASA, and you are just using the ASA outside ip address, since it will be a public ip address to PAT the traffic to your internal server. The VPN will still be terminated on your internal server, hence not using the ASA SSL VPN license.

If you are going to terminate the SSL VPN on your internal server, then all you need is to configure static PAT (Port Address Translation) for your internal server (since this is normally a private IP), to the ASA outside interface IP (public IP). If you have more public IP range assigned to you, then you can also use the spare public IP for NATing your internal server.

You will only use the ASA SSL VPN license if you actually configure the ASA to terminate the SSL VPN.