Apr 29 2009 3:45PM GMT
Posted by: Raj Perumal
Cisco ASA,
SSL VPN,
RDP,
#ssh,
SSL VPN on the road,
IPSEC VPN,
SSL VPN licenses,
Adaptive Security Appliance
So you have probably heard about SSL VPN by now if you are a network administrator. This is the ability to use SSL to make a VPN connection between you and your corporate network. SSL VPN has been around for a long time but I still find that a lot of people haven’t embraced it up here in Winnipeg.
I still see customers using IPSEC VPN for the most part and then when they are on the road travelling with their laptop they have issues connecting back to their corporate network because whichever Internet cafe or airport they are in is blocking the ports required to make the connection. Well there is one port that you can pretty much guarantee will always be left open in an Internet cafe or other public access point and that’s port 443 which is what SSL VPN uses.
With the Cisco ASA, you get 2 free licenses of SSL VPN. It is extremely easy to configure and offers many plugins for VNC, SSH, and even RDP. You basically launch a web browser and connect to your domain name, for example “ssl.yourdomainhere.com” and then you can login using your credentials which can be either local or even active directory authenticated and connect to your network. From there you are given a launch web page with a few options on what you would like to connect to. As the administrator you can pre-populate this web page with bookmarks to RDP to servers, or to even SSH into a server. You can even browse the web through the SSL VPN connection to get access to web sites you normally couldn’t access through this connection instead of through your normal one.
If you own a Cisco ASA, I urge you to try out the SSL VPN functionality, if you like it you can purchase extra licenses for all your users.
-RP
Apr 29 2009 3:07PM GMT
Posted by: Raj Perumal
Cisco ASA,
implicit rules,
outside interface outgoing,
inside interface outgoing,
outside access out,
inside access out,
common Cisco ASA issues,
ASDM,
Adaptive Security Appliance
Hi folks, as you know I’ve been doing a lot of work with the Cisco ASA firewall products lately and I wanted to address an issue I’ve seen a few administrators run into when setting up a new ASA.
Often when you setup an ASA you are not just setting up inside out external access but you might also want to set some incoming rules for some of your servers such as web servers or mail servers. The problem I see administrators run into is that after they setup these rules they still can’t get access to the servers from the outside world.
If you take a look at the rules closely, at first look it seems like everything was configured ok and everything should be working. What I’ve found in these situations is that someone specified an inside interface outgoing rule, or an outside interface outgoing rule. By doing that you’re implicity allowing that one rule and automatically denying all else. In order to fix this, create a specific rule for the device to allow it out or just remove all the outgoing rules altogether and then the Cisco ASA will allow it by default. Which way you chose will depend on how you want to secure your network of course. Hope this helps!
-Cheers, RP
