Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
0
Helpful
5
Replies

5505 ASA for remote worker

WStoffel1
Level 1
Level 1

‎10-15-2011 01:29 PM

I have a few questions regarding an asa I have set up for a remote worker with a VPN tunnel to my office. The user has a home time Warner connection to the Internet which means she's given a dhcp address. So time warner modem connects to the Asa on eth0 and the work laptop sits on eth1. I have access to the Internet and the tunnel comes up with access to the Corp network.

Problem one: right now if I need to access the Asa I can ssh to it from that users laptop (by remoting the machine over the Internet (i know i know ) using bomgar, my companies approved remote app). What's a better method?

Number two: this is a home Internet connection so their personal wireless router is hanging off the Asa as well. It's a device just like the work laptop and picking up dhcp from the Asa. Is there a way on a 5505 to have either a second dhcp scope or a way around the configuration for one of the Ethernet ports on the Asa?

Thanks!

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎10-20-2011 04:07 AM

Issue 1 - you can connect to the ASA directly on the outside interface via SSH, you should be able to get the IP address, from the device the VPN terminates on in your head office.  other options, have the user get a free dynamic DNS name.

Issue 2 - You have a bigger issue than that - ANY device on the users LAN, will be able to access your internal network.  I would configure a DHCP pool on the ASA for the users specific work machine, to give a specific IP. Then ONLY allow that IP to be encrypted into the VPN. All other traffic will not be encrypted.  the 5505 can have 3 vlans - have a specific port in that VLAN only, and assign the DHCP to that VLAN......in theory.

HTH>

0 Helpful

WStoffel1
Level 1
Level 1
In response to andrew.prince

‎10-27-2011 11:14 AM

Thank you.  Issue one resolved, just didn't know how to get that assigned outside address, kinda silly in retrospect it was so easy.

Issue 2, yes it is a big issue.  Right now the IP phone and the work laptop grab DHCP from the scope on the ASA.  But the personal wifi router that's plugged into the ASA also grabs an address, so their home laptops that are on wireless appear to be connected to the corp network (they're pulling the dhcpd domain name that is assigned to the scope). 

I may take your advice one step further for the work devices (ip phone and laptop) and just make them static.  Then allow just those two IP's to be encrypted over the tunnel....?   My next question would be how do I ensure specific IP's only go over the tunnel?

Thanks again!

0 Helpful

hobbe
Level 7
Level 7
In response to WStoffel1

‎10-27-2011 01:16 PM

Hi

This is just my 2 cents on the issue.

You never ever want the user to have their personal equipment on the same network as their computer when they work from home if you can avoid it, using an ASA is a good way to avoid just that.

Here is one thing you can do.

The asa in its smallest version can use 3 different interfaces.

however two of them can not speak to eachother.

thats ok with us in this case.

You make the outside and inside interfaces able to speak to eachother.

You then make a dmz and make the dmz able to speak to the outside interface.

Now you have the ability to make one net on the inside for only the computer to be used over a vpn tunnel and one net for the rest of the family.

if i where you i would now setup the computer to be the endpoint of the vpn via a vpn client, instead of making the firewall the endpoint.

why ? well if anyone connects a computer to the firewall in the wrong port (inside) that would make the computer part of your work network directly since it is connected on a work network.

not good from a security standpoint.

that will give you a more secure situation.

Good luck

HTH

0 Helpful

WStoffel1
Level 1
Level 1
In response to hobbe

‎10-28-2011 06:33 AM

The idea of the vpn client on her laptop is great and was one of my first questions, problem is how do I terminate an IP phone on the tunnel as well?

I do like the idea of the DMZ for the personal equipment.  My thought would be Outside interface is E0, E1 and E2 are the phone and laptop for work, and I'm just going to have to trust it will always remain that way.  Then I could put E3-7 in the DMZ then no matter what else got plugged in, it would be in the DMZ.  Does that sound acceptable?

Thanks by the way!

0 Helpful

vabruno
Level 1
Level 1

‎11-11-2011 07:43 PM

Ok here is another idea for issue number 2... All you have to do is plug the wireless router into the cable modem then plug the outside interface of the ASA into the inside interface of the wireless router. This way the ASA will still get a private IP from the wireless router and get NATd to the public IP and the tunnel should one up fine.

This way you will separate all home related traffic with corporate traffic. When you want to access corporate network just plug your pc in the inside interface of the ASA..

Please mark resolved if my solution works for you

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents