SA 540 Questions and Help Needed

Unanswered Question
Oct 5th, 2009

I've got 2 SA 540's.  Site to site setup was a breeze, but i've still got issues.  I'm disappointed by the fact the the ipsec vpn doesn't appear to support the cisco client, and thus the iphone (no place to put a security group name).  So I've got some questions if anybody knows the answers:

1.  How do i use a second public ip address for ssl and ipsec vpn traffic?  My first ip address is being used for nat and port forwarding to servers and i don't want to change this, because i'll have to make dns changes that could potentially affect mail flow.  my secondary public ip addresses are neither on the same subnet nor do they have the same gateway as my primary public ip addresses.

2.  Is support for the traditional ipsec cisco vpn client (same one used in iphone) on the roadmap?  If not, is some sort of iphone solution on the roadmap?

3.  Is there any way to telnet into the device for CLI like capabilities?  The Administration guide seems to indicate that there is, but I can't get into the SA 540with telnet, telnet/s, or ssh.

4.  Is supporting spaces and other characters like periods in user names for users on the roadmap?  I am currently having to use a replacement setting for user-id on my radius servers that changes email address into full usernames.  usernames on this network have spaces and periods.  i can't use email address to logon because the radius servers automatically prepend the domain\ to the user id and i can't figure out how to get that out.  this might also potentially solve the issue.

thanks in advance for any help.

oh, and i've got a list of xbox ports if anyone needs them.  it's longer than what most sites lead you to believe.  i was able to go from strict to open on a 1760.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamccord Mon, 10/05/2009 - 14:41

1.  I will be putting this scenario in the lab to test.

2.  At the present time, there will be no support for the Cisco vpn client.

3.  I will also further test the CLI capabilities in the lab.

4.  I will look into this issue and get the appropriate answer.

Regards,

Jason

beowulfs Sat, 10/17/2009 - 08:32

I've got an extra public ip address to play around with on the optional port for both ends, but do you or anyone have any more info?  thanks.

jamccord Mon, 10/19/2009 - 06:47

In regards to point 3 of your earlier post, there is no CLI support for the SA series routers.  The documentation is in error and correction to the documentation has been submitted.

Could you please be more specific as to what you need assistance with regarding the optional port?  What end result are you wanting to obtain?

Regards,

Jason

beowulfs Mon, 10/19/2009 - 07:50

1.  I've got two public ip address, different subnets.  How do I use the second one for SSLVPN and QUICKVPN.  The first is dedicated to a NAT and a whole lot of PAT including ssl, that i can't break.

2.  Since traditional ipsec group vpn is not going to be supported, is some kind of iPhone vpn support on the roadmap?

3.  You answered.  Documentation is wrong.  Thank you.

4.  Is supporting spaces and other characters like periods on the roadmap for usernames.  My Domain users have spaces and periods in their names.  I did it on purpose to make it harder to hack.

5. New question.  How do I support more than one subnet for protected VPN traffic across a site to site tunnel and for clients, i.e. multi-site/subnet protected traffic?

These are all things I can do with a router or an ASA, but I wanted to give the SA540 a try so I could pitch to clients.

Thanks.

Steven Smith Wed, 10/28/2009 - 15:30

For #1, there are some known issues about this problem.  I can't say when it will be implemented fully yet.  But it will be soon.

#2, we don't discuss roadmaps.  I don't know of any iPhone VPN software coming for this product currently, but if I can find out something more that I can share, I will let you know.

#4 Yes for spaces, I will check on other characters as well.

#5 is possible.  I don't have a box in front of me right now, but you don't do it in the wizard.  I believe you do it in VPN Policies or IKE policies.  I will look at my box tomorrow and tell you how.

guzuti560 Sun, 02/21/2010 - 12:30

Hi

i would be interessted in the iPhone VPN support too, if there is a possibility.

Thank you  Mario

Steven Smith Mon, 02/22/2010 - 08:12

We can't really discuss the roadmap, but I will pass the feedback along.

massimiliano.porta Thu, 07/29/2010 - 07:04

Hi, could you be able to verify #5 in site-to-site ispsec vpn connections?

I really can not find where to say to protect other remote networks (current issue with SA540: ASA5505 remote vpn users are not being able to reach the SA540 local network).

Thank you,

Massimiliano Porta

juliomar Tue, 09/21/2010 - 09:34

Hi Massimiliano,

As a follow up to question #5 above, dealing with SA 500 series connecting to multiple remote subnets...

There is a way to associate multiple LAN subnets to a single IKE Policy.  Please see the following post on the Cisco Small Business Security Community.

https://supportforums.cisco.com/message/3181708#3181708

Let me know if this is similar scenario you face, or if not, can you elaborate more on your network topology.

Hope that helps you out.

Best regards,

Julio Martinez

Steven Smith Wed, 11/11/2009 - 07:35

There is a fix for the one to one NAT issue.  Please contact TAC and get the beta firmware.  Please let me know how it works with IP's on different subnets, I haven't tested that myself and am interested to see how it works.

Also, since your IP's are one different subnets, are you using 1 wan port?  Do you have 2 different gateways?  What type of connection is this?

beowulfs Wed, 11/11/2009 - 08:45

Opening a case now.  I've got a single cable modem.  I can put a switch behind it and split it if need be.  In fact I had been doing that, but I've integrated everything back into the SA540 for traffic shaping.  I've still got the different subnets on one end, but on the other end, my cable company is consolidating ip address ranges and i've asked for 3 contiguous ip addresses for it.  however, they haven't finished routing it yet, so i still have 3 ip's on 3 subnets there.

case is open.  i'll pm the number.