12-16-2008 05:52 AM - edited 03-11-2019 07:26 AM
I need some help on Webvpn as I have never configured one on an ASA. I have an ASA 5510. It has around 8 IPSec tunnels already running on it. I want to configure Webvpn for some users of that company who may be using public PCs over the upcoming holidays to access a particular website in the corporate network. So I will be giving access to only that URL. Reason why I am not giving them access through Remote Access IPSec vPN is that some of them may use public PCs to access the site. Hence I have decided on Webvpn access to them. Please advise if that is right thing to do. Also, is there any problem if I configure Webvpn on that ASA even if there are around 8 L2L tunnels running on the device. Another thing I want to know is that do the Webvpn clients need any assignment of IP address form an IP Pool like IPSec RA clients. A brief descritpion will help. Any help is appreciated.
Solved! Go to Solution.
12-16-2008 10:29 PM
There are different flavours of SSL VPN:
Clientless (WebVPN)
Thin Client (WebVPN+port forwarding)
Thick (SSL VPN) Client
For the first two options no IP Pool needs to be defined. That is only required in the Thick/Full SSL VPN Client configuration.
SSL/IPSec VPNs can co-exist with each other without any issues.
This is a configuration example for Clientless:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Please rate if helpful.
Regards
Farrukh
12-18-2008 11:30 PM
Yes you can do that.Infact that how its done in most cases.
If you are using ASDM from outside then you will need to change ASDM port on ASA.
Syed Iftekhar Ahmed
12-16-2008 01:02 PM
Any help on this please....
12-16-2008 10:29 PM
There are different flavours of SSL VPN:
Clientless (WebVPN)
Thin Client (WebVPN+port forwarding)
Thick (SSL VPN) Client
For the first two options no IP Pool needs to be defined. That is only required in the Thick/Full SSL VPN Client configuration.
SSL/IPSec VPNs can co-exist with each other without any issues.
This is a configuration example for Clientless:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Please rate if helpful.
Regards
Farrukh
12-18-2008 01:17 PM
Thanks Farrukh. Just wanted a second opinion on what I am going to configure. Thanks for pitching in. Antoher query I have is that will it be ok to enable both IPSec and Webvpn on the outside interface of ASA? I have ISAKMP already enabled on the outside with around 8 IPsec tunnels in operation. And I have to enable Webvpn on the outside now. There will not be any problem right?
Thanks for your time devoted to my query.
12-18-2008 11:30 PM
Yes you can do that.Infact that how its done in most cases.
If you are using ASDM from outside then you will need to change ASDM port on ASA.
Syed Iftekhar Ahmed
12-19-2008 09:38 PM
Yes as Iftekhar said you can run both on the same interface without any issues. SSL VPNs use port 443 (SSL) whereas IPSEC VPNs use ESP/UDP500/4500.
However If you want to run ASDM (ASA GUI) and SSL VPNs on the outside interface, this causes a conflict, as both use port 443 by default. To make this work you need to change the port for either webvpn or ASDM, please look at this link:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807be2a1.shtml
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: