cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1003
Views
0
Helpful
5
Replies

Can our ASA 5510 provide VPN to our cloud LAN?

ILoveTurtles
Level 1
Level 1

Hi folks,

We've got a number of servers (7 or so virtual, 1 dedicated) hosted at a well known cloud provider out of the West Coast of USA.

They just put an ASA5510 in front of our server LAN to help protect the servers.

I was wondering if it possible that the ASA5510 can provide VPN Access to our cloud LAN? Right now we have the firewall block -all- ports except 80/443/3389 (RDP for our Windows Servers).

I was hoping to actually block port 3389 so no one can RDP to any servers. BUT .. VPN into our cloud LAN and then we can connect to any of the servers via RDP or any software / port. In effect, the VPN opens all the ports .. provided you've created a VPN tunnel

So can this be done? Does the ASA5510 offer this?

Last question -> and this is a massive one :gulp: ..

We can't install any 3rd party client software .. including any cisco vpn client software. We need to use the built in Windows7 VPN software .. which does PPTP/SSTP/L2TP-IPSEC.

So .. now can the ASA5510 offer this? if so... are there any special scripts or configs I need to give to the Cloud Hosting provider so they can setup the machine to work?

Please help!

-Jussy-

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Two possibilities come to mind.

- L2tp over Ipsec from built in client.

ASA config guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html

Those options should work unless ASA is in multi-conext mode.

M.

View solution in original post

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Two possibilities come to mind.

- L2tp over Ipsec from built in client.

ASA config guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html

Those options should work unless ASA is in multi-conext mode.

M.

Hi Marcin

thanks heaps for the very prompt reply.

The clientless webvpn is not an option either. Can't install java or activex.

But ..

" L2tp over Ipsec from built in client."

So you can confirm that the built in Windows 7 VPN software -can- connect to an ASA5510 that's been setup with L2tp over Ipsec?

Yes, single context ASA can terminate L2TP over IPsec from any device (provided said device adheres to standards!)

There are a few known issues so it's always best to run latest maintenace release (or public interim) to avoid known bugs.

Thanks again Marcin. Much appreciated

The tech engineer said the following :-

Cisco ASA 5510. IOS version 8.3(2)

So i'm guessing that OS version is ok ?

I'm also assuming the windows 7 built in vpn client also adheres to the L2TP/IPSec standards

Cheers

I'll now use this discussion to see if their engineers can maybe get L2TP/IPSec installed

Heh, remember that while standards define the framework the actual implementations might change and/or break.

Very famously from windows XP to Vista/7 windows stopped supporting MD5 as hash algorithm. Which caused quite some problems because almost all previous configuration guides were referring to MD5 only.

Anyways if in trouble - open up a TAC case.

M.