Webserver / VPN - two external IP but same subnet, opinion needed

steven.schmitt · ‎01-13-2013

Hi,

I am a relatively new Cisco user and currently using a Cisco ASA5505 (Security Plus License) at Home.

The ASA acts as Router/Firewall for my home network and internet access.

I use the following configuration:

ISP ---- Modem ---- ASA5505 ---- Switch ==== Server/Clients

I bought the ASA mainly because I wanted to use VPN over SSL (AnyConnect) to access to my server from the outside. This works very nice.

Now I wanted to set up an additional webserver in my network. The idea was to place this webserver in the DMZ and enable access from the outside world via ASA.

My idea was to reserve one external IP-address for VPN and have an additional one for the Webserver. Both services run on port 443, and I don’t want to change the port (e.g. for VPN) as I want to use the service from locations where access to ports other than 443 or 80 might be restricted.

My ISP provides me with two IP, however, they are assigned via DHCP (but then the same address is fixed to a certain MAC address, so ‘semi-static’), however both addresses are in the SAME SUBNET.

When setting up, I added an additional switch at the modem (I realized that the ASA5505 cannot do sub-interfaces). From the switch I then connected two ports of the ASA (assigned to two different interfaces, outside1 and outside2) and set them to ‘address via DHCP’.

However, then I realized that this set-up is not possible, as it is not allowed to have two IPs bound to two different interfaces but within the same subnet (sorry, beginner).

So, my question now: What would you recommend to solve this problem (two services at port 443, two IP but same subnet)? Is there any solution to that?

My idea was now to connect the webserver directly to the switch behind the modem and get the external IP directly to the webserver (without ASA). However, then I need an additional firewall here (e.g. MS TMG or UAG installation on the server).

Are there any other possibilities (second ASA, different router….) that could help me implementing this?

Many thanks in advance for input!

Cheers

Jouni Forss · ‎01-13-2013

Hi,

I can't personally think of any solution with the current setup that would let the ASA use both of the public IP addresses. Especially when we are talking about 2 DHCP IP addresses.

I would (if you havent already) ask the ISP for the possibility of Static IP address from them as it would make this setup so much easier.

If you dont want to do that (perhaps for cost reasons) I would consider implementin the setup in this way

Change the AnyConnect port from TCP/443 to TCP/444 for example
- As you probably are the only person to use this VPN Connection (?) it wouldnt be a big problem to use another TCP port for AnyConnect use.
- But as you said, you might run into problems in an enviroment where the connections are controlled by a very strict policy/ACL
Use only the ASA interface public IP address to public the DMZ server by forwarding the port TCP/443 to the server (since AnyConnect now uses another port)
- I would imagine using a different port for a Web service would present a lot bigger problem for users compared to changing the AnyConnect VPN port.

So as I said I would start by checking out could you get Static Public IP addresses for this use from the ISP and if you can would the cost be something you could "stomach". A setup with Static Public IP addresses would certainly make your firewall setup very simple and you would avoid all these problems.

- Jouni

steven.schmitt · ‎01-14-2013

Hi,

many thanks for the reply.

I asked my ISP for fixed IPs - no chance! I would have to update the whole package, meaning an increase in costs by a factor 2 at least.

1) Changing the port for VPN: I might need to consider that. I am a bit unsure how normal 'hotspots' e.g. in hotels or at the airport handle such ports but I think the only way to find that out is with extensive testing...

If I do that, the way you described above sounds very good.

2) As an alternative (as I already mentioned in the first post): I was anyway thinking of implementing and TMG / UAG at the 'webserver' as I would like to publish my Exchange OWA via that (if I do not find an alternative for that). In that case I could establish a connection of the TMG 'outside' NIC to the modem (w/o ASA) and then 'inside' NIC with the ASA (in DMZ). Then I could use the TMG as firewall before the webserver and the ASA to control the connection to the inside network.

However, I am not an expert there - from a security / network setup point of view: Does this make sense or did I miss something?

Many thanks again in advance!

Steven

Jouni Forss · ‎01-14-2013

Hi,

Ah, I was kind of expecting something like this. I don't know what kind of pricess we are talking about (before/after) but personally I feel that for example in our ISP case (where I work) the cost isnt massive (and I think its pretty same for consumer also) Though I dont have any idea what ISPs are asking for Static Public IP addresses around the world. I'd imagine it will get more expensive all the time considering the situation with ipv4.

Kind of feels at this point that you are bound to do some kind of setup that is not the typical one. I'm personally not familiar with TMG / UAG so I cant comment on that but what you say does seem like one option to go if you cant get static Public IP address for your ASA and server.

I guess you will be going for DDNS type of setup with the DHCP aquired IPs.

- Jouni

steven.schmitt · ‎01-14-2013

Hi,

I just calculated. It would be an extra of approx 900 USD per year (currently I pay approx 600 USD) The problem is that this is an upgrade from an end-customer to a business plan (fixed IP and reduced response time). So - I have to think about this when all other solutions fail...

It is only a small, private setup so I did not want to increase the cost into an unlimited range.

I keep an eye on the TMG (via MSDNAA) stuff, and try the port-changing first.

Many thanks!