Can our ASA 5510 provide VPN to our cloud LAN?

Answered Question
Jun 6th, 2012

Hi folks,

We've got a number of servers (7 or so virtual, 1 dedicated) hosted at a well known cloud provider out of the West Coast of USA.

They just put an ASA5510 in front of our server LAN to help protect the servers.

I was wondering if it possible that the ASA5510 can provide VPN Access to our cloud LAN? Right now we have the firewall block -all- ports except 80/443/3389 (RDP for our Windows Servers).

I was hoping to actually block port 3389 so no one can RDP to any servers. BUT .. VPN into our cloud LAN and then we can connect to any of the servers via RDP or any software / port. In effect, the VPN opens all the ports .. provided you've created a VPN tunnel

So can this be done? Does the ASA5510 offer this?

Last question -> and this is a massive one :gulp: ..

We can't install any 3rd party client software .. including any cisco vpn client software. We need to use the built in Windows7 VPN software .. which does PPTP/SSTP/L2TP-IPSEC.

So .. now can the ASA5510 offer this? if so... are there any special scripts or configs I need to give to the Cloud Hosting provider so they can setup the machine to work?

Please help!

-Jussy-

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 1 year 10 months ago

Two possibilities come to mind.

- L2tp over Ipsec from built in client.

ASA config guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html

Those options should work unless ASA is in multi-conext mode.

M.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Marcin Latosiewicz Wed, 06/06/2012 - 06:30

Two possibilities come to mind.

- L2tp over Ipsec from built in client.

ASA config guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

- Clientless webvpn (if has RDP and other plugins, but requires java/activeX for some functionalities..

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html

Those options should work unless ASA is in multi-conext mode.

M.

ILoveTurtles Wed, 06/06/2012 - 06:32

Hi Marcin

thanks heaps for the very prompt reply.

The clientless webvpn is not an option either. Can't install java or activex.

But ..

" L2tp over Ipsec from built in client."

So you can confirm that the built in Windows 7 VPN software -can- connect to an ASA5510 that's been setup with L2tp over Ipsec?

Marcin Latosiewicz Wed, 06/06/2012 - 06:43

Yes, single context ASA can terminate L2TP over IPsec from any device (provided said device adheres to standards!)

There are a few known issues so it's always best to run latest maintenace release (or public interim) to avoid known bugs.

ILoveTurtles Wed, 06/06/2012 - 06:50

Thanks again Marcin. Much appreciated

The tech engineer said the following :-

Cisco ASA 5510. IOS version 8.3(2)

So i'm guessing that OS version is ok ?

I'm also assuming the windows 7 built in vpn client also adheres to the L2TP/IPSec standards

Cheers

I'll now use this discussion to see if their engineers can maybe get L2TP/IPSec installed

Marcin Latosiewicz Wed, 06/06/2012 - 06:55

Heh, remember that while standards define the framework the actual implementations might change and/or break.

Very famously from windows XP to Vista/7 windows stopped supporting MD5 as hash algorithm. Which caused quite some problems because almost all previous configuration guides were referring to MD5 only.

Anyways if in trouble - open up a TAC case.

M.

Actions

Login or Register to take actions

This Discussion

Posted June 6, 2012 at 5:54 AM
Stats:
Replies:5 Avg. Rating:5
Views:420 Votes:0
Shares:0
Tags: vpn, pptp, l2tp, asa_5510, sstp
+
Categories: ASA
+

Related Content

Discussions Leaderboard