06-06-2012 05:54 AM
Hi folks,
We've got a number of servers (7 or so virtual, 1 dedicated) hosted at a well known cloud provider out of the West Coast of USA.
They just put an ASA5510 in front of our server LAN to help protect the servers.
I was wondering if it possible that the ASA5510 can provide VPN Access to our cloud LAN? Right now we have the firewall block -all- ports except 80/443/3389 (RDP for our Windows Servers).
I was hoping to actually block port 3389 so no one can RDP to any servers. BUT .. VPN into our cloud LAN and then we can connect to any of the servers via RDP or any software / port. In effect, the VPN opens all the ports .. provided you've created a VPN tunnel
So can this be done? Does the ASA5510 offer this?
Last question -> and this is a massive one :gulp: ..
We can't install any 3rd party client software .. including any cisco vpn client software. We need to use the built in Windows7 VPN software .. which does PPTP/SSTP/L2TP-IPSEC.
So .. now can the ASA5510 offer this? if so... are there any special scripts or configs I need to give to the Cloud Hosting provider so they can setup the machine to work?
Please help!
-Jussy-
Solved! Go to Solution.
06-06-2012 06:30 AM
Two possibilities come to mind.
- L2tp over Ipsec from built in client.
ASA config guide:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html
Those options should work unless ASA is in multi-conext mode.
M.
06-06-2012 06:30 AM
Two possibilities come to mind.
- L2tp over Ipsec from built in client.
ASA config guide:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html
Those options should work unless ASA is in multi-conext mode.
M.
06-06-2012 06:32 AM
Hi Marcin
thanks heaps for the very prompt reply.
The clientless webvpn is not an option either. Can't install java or activex.
But ..
" L2tp over Ipsec from built in client."
So you can confirm that the built in Windows 7 VPN software -can- connect to an ASA5510 that's been setup with L2tp over Ipsec?
06-06-2012 06:43 AM
Yes, single context ASA can terminate L2TP over IPsec from any device (provided said device adheres to standards!)
There are a few known issues so it's always best to run latest maintenace release (or public interim) to avoid known bugs.
06-06-2012 06:50 AM
Thanks again Marcin. Much appreciated
The tech engineer said the following :-
Cisco ASA 5510. IOS version 8.3(2)
So i'm guessing that OS version is ok ?
I'm also assuming the windows 7 built in vpn client also adheres to the L2TP/IPSec standards
Cheers
I'll now use this discussion to see if their engineers can maybe get L2TP/IPSec installed
06-06-2012 06:55 AM
Heh, remember that while standards define the framework the actual implementations might change and/or break.
Very famously from windows XP to Vista/7 windows stopped supporting MD5 as hash algorithm. Which caused quite some problems because almost all previous configuration guides were referring to MD5 only.
Anyways if in trouble - open up a TAC case.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide