Cisco Newbie - Getting An ASA 5505

Unanswered Question
May 11th, 2007

Hello all. Monday I am expecting delivery of a 5505 (unlimited internal users, 10 IPSEC VPN licenses, 2 SSL VPN licenses). This device will replace our current Symantec 200R Firewall/VPN appliance (which we have found multiple models of these to be very flaky with regards to internet access, hence our purchase of the Cisco 5505).

We have about a dozen Windows Mobile PDA users who MS-Active-Sync to our internal Exchange server via SSL (specifically RPC over HTTP(S)). On the Symantec, we simply opened port 443, and mapped it to our LAN Exchange IPA. Windows Mobile PDAs come right in and get directed to the Exhange server to sync.

In reading documentation about the 5505, it seems that this type of remote access is considered a SSL VPN type. If so this is a problem because we only purchased the 2 SSL VPN bundle.

Will I be able to open 443 on the 5505 to pass traffic to my Exchange svr just as I am doing now with my Symantec? Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Jon Marshall Fri, 05/11/2007 - 09:16

Hi Jason

If all you did on your old firewall was open port 443 then you can just do this on the ASA. Yes you can do SSL VPN's on the ASA but you can also just use it as a normal firewall and just open the relevant port.



Richard Burts Fri, 05/11/2007 - 09:55


I believe that Jon is quite correct in his answer. The SSL limit of 2 would be an issue if the users put the address of the ASA as the destination. But if their destination is the address of the internal server, then opening port 443 should work just fine.



jasonalden Fri, 05/11/2007 - 11:16

Thank you Jon and Rick.

Rick, now I'm really concerned.

For example, remote Windows Mobile PDA as well as Outlook clients (RPC over HTTPS) are pointing to . is resolved to OurIPAddress. OurIPAddress is going to be the public address of the 5505 just as it currently is for our Symantec 200R firewall/VPN.

So my concern is when remote users come to, where traffic currently passes through our Symantec and directed to the Exchange server, with the 5505 it will access the 5505's SSL VPN interface which is definitely NOT what we want.

If this is what is going to happen, I have to figure out some sort of work-around, if even possible?

Thank you.

Richard Burts Fri, 05/11/2007 - 11:37


I do not think that you need to worry about this. And in retrospect perhaps I should have phrased my response a bit differently: if PDA user sessions terminate on the ASA then the SSL limit of 2 would become an issue (instead of saying if users put the ASA destination address). If you configure the ASA similar to what the Symantec did (open the port and translate traffic to that port to go to the Exchange server) then the SSL traffic should terminate on the Exchange server not on the ASA and the limit on the ASA will not impact you.




This Discussion