06-25-2014 01:27 PM - edited 03-07-2019 07:50 PM
Hi folks. I have a business network of 40 users and about 100 hosts (we have lots of PCs). I'm the full-time admin. Currently we have at least two competing applications requiring NAT of incoming SSL traffic through the firewall. One is the typical Microsoft SBS server traffic for remote web workplace, etc. The second is my forthcoming implementation of Cisco SSL VPN. For fairly obvious reasons I cannot utilize an alternate port for either of these applications as it would interfere with all the things that make SSL great when a traveling user is located on a non-friendly remote network, halfway around the world, in another timezone. In these scenarios when the Microsoft VPN typically falls down flat, I can't do much to help. This is driving my desire to implement Cisco SSL VPN as a backup.
My ISP provides 5 static IP addresses, of which we currently use only one.
The current edge router is a Cisco 1921 with valid and current support contract. I plan to leave this unit in place as the primary edge router.
I have a small pile of hardware at my disposal. When I've seen good deals I've picked up a few additional units. On hand I have the following:
Cisco PIX 501
Cisco ASA5505
Cisco 2691 with IOS 12.x and a working 2FE2W card (so four 10/100 interfaces)
two Cisco 2821 units with IOS 15.1 (dual gig interfaces on-board)
I'm looking for the best approach to solve this issue, with an eye toward adding enablement for future expansion. I'm willing to add a WAN interface to the existing 1921 if that's the cleanest option, also willing to implement a second gateway device with one of the above units if that's preferred. Mostly trying to figure out how others typically solve this problem. What is the "textbook solution"?
Thanks in advance for any information. I've googled this to death and haven't nailed down the solution yet.
-Justin
06-25-2014 03:09 PM
Just so I understand the question
Are your planning to deploy a SSL-VPN solution using a Cisco firewall?
06-26-2014 05:58 AM
Yes, sorry if that was unclear. I plan to deploy Cisco AnyConnect SSL VPN, terminating on one of the edge devices. Please correct me if I'm wrong, but I believe in the past we would have used a device known as a VPN concentrator, but those products are no longer available. Presumably any IOS based device with adequate resources can perform this duty? Again, I'm not quite certain how to approach this problem. I can provide a simple Visio diagram if that would be helpful.
Thanks,
-Justin
06-26-2014 07:11 AM
Do you have the proper license and software installed on the ASA-5505?
See-table-1 in this link:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/overview_c78-527488.html
HTH
06-26-2014 07:36 AM
The ASA has the sku: asa5505-bun-k9 which looks like the base 10-user license, not sure if that includes the SSL VPN option. I don't think it does.
In any case, if I have to buy licensing I'd prefer to do it on the 2800 where I have hardware encryption capability.
My 1921 has SSL licensing, for 10 users. I could potentially move the SBS server port forwards to the 2800, leaving the SSL ports free on the 1921 for VPN use. That might be more complicated, as the whole network uses the 1921 as the default gateway.
06-26-2014 08:29 AM
If possible, I would use the firewall for VPN and not the router, as you may run to limitations. Also, for the 2800 series to run VPN, you need a new IOS installed.
06-26-2014 09:31 AM
First, thanks for your help so far.
The 2800 has the image c2800nm-advipservicesk9-mz.151-4.M4, which as I now understand does not include the SSL VPN features.
I could certainly use the existing 1900 firewall as the VPN endpoint, however as I explained earlier the SSL-enabled web services are alreaded NAT-ed through that device. The web services provided by Windows SBS server seem fairly dependent on a typical network layout with a single gateway, and require SSL to be forwarded directly to the server. Reworking these services to run through a secondary gateway seems nearly impossible, but I may be mistaken. Let's assume for now that moving those services is not an option.
To clarify, I think what I need to do is establish one of the five WAN IP addesses for VPN services, and another for web services. How to configure this seems to be my question. I have various devices at my disposal, or I can add additional interfaces to the existing 1921 edge device.
So far I have been unable to configure the 1921 for both these roles to coexist on one WAN interface (SSL NAT and SSL endpoint), leading me to believe I need an additional WAN interface dedicated for VPN traffic. This would allow for separation of the competing services on two different WAN interfaces with unique IP addresses. The remaining questions would be based around routing and NAT with this configuration. Please confirm, or correct me if I'm wrong.
Would adding a WAN interface to the 1921, therefore creating a dual-wan configuration, help me to solve this problem?
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide