Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
1
Replies

ssl vpn

Ramy Estephan
Level 1
Level 1

‎06-30-2016 03:24 AM

Dears,

We want to use Point Of Sale (POS) machine to connect to the public IP of the ASA through SSL port 443, and then ASA will have to forward the traffic to the Server on port 6000  which would be placed behind the ASA.

 

Server-----<<Intranet>>--------(ASA)-----<<Internet>>---------POS machine

                     Port 6000                                 port 443

 Can this be done through port-forwarding? 

Thanks

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎06-30-2016 05:57 AM

Hi,

I am not sure what this has to do with VPNs other than using the port TCP/443

I assume your problem is that both the ASDM and SSL VPN on an ASA firewall use the port TCP/443?


If that is the problem then you could naturally change both the ASDM management port used and also the SSL VPN used port. Though in my opinion changing the SSL VPN port probably is a bit problematic as this need to be taken into consideration by the user.

ASDM port can be changed with command

http server enable port <port>

The SSL VPN port can be changed with commands

webvpn
 port <port>

I am a bit rusty as I have not participated on these forums for some time now. The ASDM port changed should not be a big problem for the admin though it might cause confusion if happen to forget that the default port was changed.

I am not completely sure about the implications of changing the default SSL VPN port. Atleast you will need to take into consideration the nondefault port when connection as it will have to be added with the VPN device IP address when connecting.

IF you are just looking for the configuration format of the Static PAT then it would be the following

Software version 8.2 and below

static (sourceint,destinationint) tcp interface 443 <internal host> 6000 netmask 255.255.255.255

Allow traffic to the "interface" IP address and into the port TCP/443

Software version 8.3 and above

object network POS-STATIC-PAT
 host <internal host>
 nat (sourceint,destinationint) static interface service tcp 6000 443

Allow the traffic to the "internal host" IP address and into the port TCP/6000

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents