cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
6
Replies

NAT multiple SSL based applications through one network

Justin Clark
Level 1
Level 1

Hi folks.  I have a business network of 40 users and about 100 hosts (we have lots of PCs).  I'm the full-time admin.  Currently we have at least two competing applications requiring NAT of incoming SSL traffic through the firewall.  One is the typical Microsoft SBS server traffic for remote web workplace, etc.  The second is my forthcoming implementation of Cisco SSL VPN.  For fairly obvious reasons I cannot utilize an alternate port for either of these applications as it would interfere with all the things that make SSL great when a traveling user is located on a non-friendly remote network, halfway around the world, in another timezone.  In these scenarios when the Microsoft VPN typically falls down flat, I can't do much to help.  This is driving my desire to implement Cisco SSL VPN as a backup.

 

My ISP provides 5 static IP addresses, of which we currently use only one.

 

The current edge router is a Cisco 1921 with valid and current support contract.  I plan to leave this unit in place as the primary edge router.

 

I have a small pile of hardware at my disposal.  When I've seen good deals I've picked up a few additional units.  On hand I have the following:

 

Cisco PIX 501

Cisco ASA5505

Cisco 2691 with IOS 12.x and a working 2FE2W card (so four 10/100 interfaces)

two Cisco 2821 units with IOS 15.1 (dual gig interfaces on-board)

 

I'm looking for the best approach to solve this issue, with an eye toward adding enablement for future expansion.  I'm willing to add a WAN interface to the existing 1921 if that's the cleanest option, also willing to implement a second gateway device with one of the above units if that's preferred.  Mostly trying to figure out how others typically solve this problem.  What is the "textbook solution"?

 

Thanks in advance for any information.  I've googled this to death and haven't nailed down the solution yet.

-Justin

6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

Just so I understand the question

Are your planning to deploy a SSL-VPN solution using a Cisco firewall?

 

Yes, sorry if that was unclear.  I plan to deploy Cisco AnyConnect SSL VPN, terminating on one of the edge devices.  Please correct me if I'm wrong, but I believe in the past we would have used a device known as a VPN concentrator, but those products are no longer available.  Presumably any IOS based device with adequate resources can perform this duty?  Again, I'm not quite certain how to approach this problem.  I can provide a simple Visio diagram if that would be helpful.

Thanks,

-Justin

Do you have the proper license and software installed on the ASA-5505?

See-table-1 in this link:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/overview_c78-527488.html

HTH

 

The ASA has the sku:  asa5505-bun-k9  which looks like the base 10-user license, not sure if that includes the SSL VPN option.  I don't think it does.

In any case, if I have to buy licensing I'd prefer to do it on the 2800 where I have hardware encryption capability.

My 1921 has SSL licensing, for 10 users.  I could potentially move the SBS server port forwards to the 2800, leaving the SSL ports free on the 1921 for VPN use.  That might be more complicated, as the whole network uses the 1921 as the default gateway.

If possible, I would use the firewall for VPN and not the router, as you may run to limitations.  Also, for the 2800 series to run VPN, you need a new IOS installed.

Q. How does the licensing work for Cisco IOS SSL VPN?

A. There are two types of licencing schemes for Cisco IOS SSL VPN.

For the Cisco 870, 1800, 2800, 3800, and 7200 series routers, licenses are cost-effective paper licenses just like CCME or SRST licenses. There's no software key to enable the feature hence there is no support issue with using Cisco IOS SSL VPN once you have the Advanced Security or higher Cisco IOS image loaded on the Router. You can purchase the Feature license as a spare in packs of 10, 25 and 100 simultaneous users directly from Cisco.com configuration tool. If you already have a router, use the spare SKUs as follows: FL-WEBVPN-10-K9= FL-WEBVPN-25-K9= FL-WEBVPN-100-K9= depending upon the number of supported users for your platform.

For the Cisco 890, 1900, 2900, and 3900 NGX series ISRs, licensing will be enforced through the Cisco Product Licensing Registration Portal. The next generation of ISRs will also use a new set of SKUs as follows: FL-SSLVPN10-K9(=), FL-SSLVPN25-K9(=), and FL-SSLVPN100-K9(=). For more details on licensing, please visit http://www.cisco.com/en/US/products/ps9677/products_ios_technology_home.html.

Licenses are not interchangeable between the ISRs and NGX Series ISRs.
 
http://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/prod_qas0900aecd80323cba.html
HTH

First, thanks for your help so far.

The 2800 has the image c2800nm-advipservicesk9-mz.151-4.M4, which as I now understand does not include the SSL VPN features.

I could certainly use the existing 1900 firewall as the VPN endpoint, however as I explained earlier the SSL-enabled web services are alreaded NAT-ed through that device.  The web services provided by Windows SBS server seem fairly dependent on a typical network layout with a single gateway, and require SSL to be forwarded directly to the server.  Reworking these services to run through a secondary gateway seems nearly impossible, but I may be mistaken.  Let's assume for now that moving those services is not an option.

To clarify, I think what I need to do is establish one of the five WAN IP addesses for VPN services, and another for web services.  How to configure this seems to be my question.  I have various devices at my disposal, or I can add additional interfaces to the existing 1921 edge device.

So far I have been unable to configure the 1921 for both these roles to coexist on one WAN interface (SSL NAT and SSL endpoint), leading me to believe I need an additional WAN interface dedicated for VPN traffic.  This would allow for separation of the competing services on two different WAN interfaces with unique IP addresses.  The remaining questions would be based around routing and NAT with this configuration.  Please confirm, or correct me if I'm wrong.

Would adding a WAN interface to the 1921, therefore creating a dual-wan configuration, help me to solve this problem?

Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: