Configuration of Webvpn

Answered Question
Dec 16th, 2008

I need some help on Webvpn as I have never configured one on an ASA. I have an ASA 5510. It has around 8 IPSec tunnels already running on it. I want to configure Webvpn for some users of that company who may be using public PCs over the upcoming holidays to access a particular website in the corporate network. So I will be giving access to only that URL. Reason why I am not giving them access through Remote Access IPSec vPN is that some of them may use public PCs to access the site. Hence I have decided on Webvpn access to them. Please advise if that is right thing to do. Also, is there any problem if I configure Webvpn on that ASA even if there are around 8 L2L tunnels running on the device. Another thing I want to know is that do the Webvpn clients need any assignment of IP address form an IP Pool like IPSec RA clients. A brief descritpion will help. Any help is appreciated.

Correct Answer by Syed Iftekhar Ahmed about 8 years 2 months ago

Yes you can do that.Infact that how its done in most cases.


If you are using ASDM from outside then you will need to change ASDM port on ASA.



Syed Iftekhar Ahmed

Correct Answer by Farrukh Haroon about 8 years 2 months ago

There are different flavours of SSL VPN:


Clientless (WebVPN)

Thin Client (WebVPN+port forwarding)

Thick (SSL VPN) Client


For the first two options no IP Pool needs to be defined. That is only required in the Thick/Full SSL VPN Client configuration.


SSL/IPSec VPNs can co-exist with each other without any issues.


This is a configuration example for Clientless:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml


Please rate if helpful.


Regards


Farrukh




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Tue, 12/16/2008 - 22:29

There are different flavours of SSL VPN:


Clientless (WebVPN)

Thin Client (WebVPN+port forwarding)

Thick (SSL VPN) Client


For the first two options no IP Pool needs to be defined. That is only required in the Thick/Full SSL VPN Client configuration.


SSL/IPSec VPNs can co-exist with each other without any issues.


This is a configuration example for Clientless:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml


Please rate if helpful.


Regards


Farrukh




rkalia1 Thu, 12/18/2008 - 13:17

Thanks Farrukh. Just wanted a second opinion on what I am going to configure. Thanks for pitching in. Antoher query I have is that will it be ok to enable both IPSec and Webvpn on the outside interface of ASA? I have ISAKMP already enabled on the outside with around 8 IPsec tunnels in operation. And I have to enable Webvpn on the outside now. There will not be any problem right?

Thanks for your time devoted to my query.

Correct Answer
Syed Iftekhar Ahmed Thu, 12/18/2008 - 23:30

Yes you can do that.Infact that how its done in most cases.


If you are using ASDM from outside then you will need to change ASDM port on ASA.



Syed Iftekhar Ahmed

Farrukh Haroon Fri, 12/19/2008 - 21:38

Yes as Iftekhar said you can run both on the same interface without any issues. SSL VPNs use port 443 (SSL) whereas IPSEC VPNs use ESP/UDP500/4500.


However If you want to run ASDM (ASA GUI) and SSL VPNs on the outside interface, this causes a conflict, as both use port 443 by default. To make this work you need to change the port for either webvpn or ASDM, please look at this link:


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807be2a1.shtml


Regards


Farrukh

Actions

This Discussion