Hello all. Monday I am expecting delivery of a 5505 (unlimited internal users, 10 IPSEC VPN licenses, 2 SSL VPN licenses). This device will replace our current Symantec 200R Firewall/VPN appliance (which we have found multiple models of these to be very flaky with regards to internet access, hence our purchase of the Cisco 5505).
We have about a dozen Windows Mobile PDA users who MS-Active-Sync to our internal Exchange server via SSL (specifically RPC over HTTP(S)). On the Symantec, we simply opened port 443, and mapped it to our LAN Exchange IPA. Windows Mobile PDAs come right in and get directed to the Exhange server to sync.
In reading documentation about the 5505, it seems that this type of remote access is considered a SSL VPN type. If so this is a problem because we only purchased the 2 SSL VPN bundle.
Will I be able to open 443 on the 5505 to pass traffic to my Exchange svr just as I am doing now with my Symantec? Thank you.
If all you did on your old firewall was open port 443 then you can just do this on the ASA. Yes you can do SSL VPN's on the ASA but you can also just use it as a normal firewall and just open the relevant port.
I believe that Jon is quite correct in his answer. The SSL limit of 2 would be an issue if the users put the address of the ASA as the destination. But if their destination is the address of the internal server, then opening port 443 should work just fine.
For example, remote Windows Mobile PDA as well as Outlook clients (RPC over HTTPS) are pointing to https://ourdomain.com . Ourdomain.com is resolved to OurIPAddress. OurIPAddress is going to be the public address of the 5505 just as it currently is for our Symantec 200R firewall/VPN.
So my concern is when remote users come to https://ourdomain.com, where traffic currently passes through our Symantec and directed to the Exchange server, with the 5505 it will access the 5505's SSL VPN interface which is definitely NOT what we want.
If this is what is going to happen, I have to figure out some sort of work-around, if even possible?
I do not think that you need to worry about this. And in retrospect perhaps I should have phrased my response a bit differently: if PDA user sessions terminate on the ASA then the SSL limit of 2 would become an issue (instead of saying if users put the ASA destination address). If you configure the ASA similar to what the Symantec did (open the port and translate traffic to that port to go to the Exchange server) then the SSL traffic should terminate on the Exchange server not on the ASA and the limit on the ASA will not impact you.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...