SA-540 SSLVPN Questions...

Unanswered Question

Recently I have been handed an SA-540 to replace our old 1811W for routing and security.  Currently we have everyone dialing in using Cisco VPN and the same person who gave me the device would like to use the One-Time Password from Verisign.  Now then, the interesting parts.  Many of our users are located at sites that have very locked down networks.  By default, all ports are closed and only those needed for VPN access are opened.  So,


1.  What ports are required to be open on the network to allow connection and traffic flow for the SSL VPN on the SA-540? Is the java app the only way for the SSL VPN to work on this device?


2.  Many of these users wish to be able to access the internet after connecting to the VPN by using our gateway.  I know that with most cisco devices (like the ASA 5505) you can tell it not to split tunnel and setup global NAT.  Is it possible to achieve this on the SA-540?  At this point we're having everyone RDP into a local machine here, but that is slow and it causes their systems to essentially be dumb terminals.


Thank you in advance for the help... I have people breathing down my neck to get this in place, but I need to make sure my clients will still be able to operate before I pull the trigger.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
biraja Thu, 03/18/2010 - 14:06
User Badges:

Hi Jason,


1.  What ports are required to be open on the network to allow  connection and traffic flow for the SSL VPN on the SA-540? Is the java  app the only way for the SSL VPN to work on this device?


>>>>> As of now, users have to download the SSL client when from the SSLVPN portal (pops up when user connects to the SA540 through web browser using sslvpn username/password) to connect  to the device.


When you talked about ports, are you referring to the physical ports on SA540?


2.  Many of  these users wish to be able to access the internet after connecting to  the VPN by using our gateway.  I know that with most cisco devices (like  the ASA 5505) you can tell it not to split tunnel and setup global  NAT.  Is it possible to achieve this on the SA-540?  At this point we're  having everyone RDP into a local machine here, but that is slow and it  causes their systems to essentially be dumb terminals.


>>>>>> SA5400 supports NAT and SSL tunnel is not split.


Thanks,

Biraja

Biraja,


Thanks for responding!


1.  The users are on a completely locked down network.  All ports are blocked unless opened by request, so for example, port 80 is blocked and users can't get to the internet.  For the clients to be able to use Cisco VPN to connect to our 1811W, we asked them to open ports 500, 4500 and 10000.  So I'm referring to the ports on the client network, not the host.


I assume, then, that they would need port 443 or 80 to access the page to download the java app, but what other ports are required to make this work?  We need all listed in advance to send the request.


2.  Good to know!  Since I'm unfamiliar with this system, how do you set it up so that a client, once connected, would use the VPN connection for all network traffic (web browsing, etc)?


Thanks again!!

biraja Thu, 03/18/2010 - 15:29
User Badges:

Hi Jason,


For SSL VPN, 443 and 80 should be unblocked.


To set up for SSL VPN, you just need to do the following.

Connected to the SA540 through a web browser using https://192.168.75.1.

Go to Administration page, and under users tab on left side, you will find users link again.

Click on users link and add the SSL VPN users.

Seletct "SSL VPN User" for user type and "SSL VPN" for Select Group fields.


For clients to make connection from their PC, they need to use https://192.168.75.1 url on their web browser and keyin their sslvpn username/password.


Thanks,

Biraja

biraja Thu, 03/18/2010 - 18:12
User Badges:

Hi Jason,


Yes, infact you just need port 443 to connect using SSL VPN client.

Rest of the ports is up to what applications clients access.


Once the SSL VPN connection is established, the clients should be able to access the devices connected to LAN ports.

We don't need any other setup for SSL VPN.


Thanks,

Biraja

biraja Mon, 03/22/2010 - 15:06
User Badges:

Hi Jason,


443 or 80 are server ports.

When you say you block ports on the clients, you mean you can control which server ports your client can access from the clients?


If you want to control the traffic to and from the clients, better use the firewall rules on the SA500.


Thanks,

Biraja

Okay, perhaps we're speaking two different languages.  Lemme try again.


Our SA-540 is located at SITE1.  This is our corporate headquarters and where people with VPN access will connect to.  There are currently no ports blocked.


Some of our users are at another location, SITE2. This location has a Secure LAN with all ports blocked except for those requested to be opened.


Which ports do the people at SITE2 need opened on their secure LAN to be able to connect to SITE1 using the VPN?  This is both for the initial connection as well as all data transfer.  Example, for Cisco VPN client connecting to our old 1811W, the ports needed were 10000, 500 and 4500.


Second part.  Users at SITE2 do not have port 80 access for web browsing.  We would like to make it so that once connected to the VPN, all port 80/other Internet traffic will be sent through the gateway at SITE1.  How can this be acheived on the SA-540?


Thank you... hopefully that helps some!

biraja Wed, 03/24/2010 - 11:45
User Badges:

Hi Jason,


For first question, it's hard to answer as the SSL Client can use any available TCP port on the PC.

I might be missing your point, would appreciate if some one can answer your question.


For second question, SSL port forwarding is the solution.

Please check the admin guide for the detailed explanation and the configuration.

http://www.cisco.com/en/US/products/ps9932/prod_maintenance_guides_list.html


Thanks and Regards,

Biraja

weilia Wed, 03/24/2010 - 18:10
User Badges:
  • Cisco Employee,

1) You only need to open port 443 for SSL VPN access.

2) Split tunneling is disabled by default, so all your traffic will go through vpn to site 1

    no extra config is required.